Skip to content

security: mitigate urllib3 decompression-bomb bypass (CTO-4807)#301

Open
tech-sushant wants to merge 1 commit into
mainfrom
security/urllib3-decompression-mitigation-CTO-4807
Open

security: mitigate urllib3 decompression-bomb bypass (CTO-4807)#301
tech-sushant wants to merge 1 commit into
mainfrom
security/urllib3-decompression-mitigation-CTO-4807

Conversation

@tech-sushant
Copy link
Copy Markdown

@tech-sushant tech-sushant commented May 18, 2026

Summary

  • GHSA-mf9v-mfxr-j63j flags a decompression-bomb safeguard bypass in urllib3 streaming code, fixed in urllib3 2.7.0.
  • urllib3 2.7.0 requires Python ≥ 3.10, but our CI matrix still includes 3.9 (dropping it isn't an option right now), so we can't bump the pin. See blocked dependabot PR build(deps): bump urllib3 from 2.6.3 to 2.7.0 #300.
  • This PR installs a runtime mitigation: force Accept-Encoding: identity on every outbound HTTP request. With no compressed responses ever arriving, urllib3's decompression path is never exercised → the bug can't trigger.
  • Added a new module EnigmaAutomation/security_mitigations.py and imported it once from EnigmaAutomation/__init__.py so the patch loads in every process (Django web, manage.py CLI, celery workers, pytest with DJANGO_SETTINGS_MODULE set).

How it works

```python

requests.adapters.HTTPAdapter.send is wrapped to inject the header

request.headers["Accept-Encoding"] = "identity"
```
Every `requests.get/post/...` (and anything else built on `requests`, which is what urllib3 is pulled in via in this codebase) now negotiates an uncompressed response. Servers respect `identity` per RFC 9110.

Scope of impact

  • ⚠️ Outbound HTTP responses arrive uncompressed → slightly more bandwidth for endpoints that used to send gzip. Acceptable for an access-management service.
  • Caveat: SCA scanners detect by version, not runtime behavior. CTO-4807 will continue to flag `urllib3==2.6.3` until we either upgrade Python and bump urllib3, or security accepts the risk with this mitigation as justification.

Test plan

  • CI green on all 3 Python versions (3.9, 3.10, 3.11)
  • Smoke-test in staging: confirm outbound calls to OAuth/IDP/etc. still function with `Accept-Encoding: identity`
  • Verify in logs / debugger that the request header is set on at least one outbound call
  • File security-team risk acceptance for CTO-4807 with this PR linked as the mitigation

🤖 Generated with Claude Code

@tech-sushant @claude
security: force Accept-Encoding identity to mitigate urllib3 decompre…
15ec5f9 
…ssion bomb (CTO-4807)

GHSA-mf9v-mfxr-j63j flags a decompression-bomb safeguard bypass in
urllib3 < 2.7.0's streaming API. urllib3 2.7.0 requires Python >= 3.10
but the CI matrix still includes Python 3.9, so we cannot bump the pin.

This patch installs a small monkey-patch on requests.adapters.HTTPAdapter
that sets `Accept-Encoding: identity` on every outbound HTTP request.
With no compressed responses ever arriving, urllib3's decompression code
path is never exercised at runtime and the bug cannot trigger.

- New module: EnigmaAutomation/security_mitigations.py
- Imported once from EnigmaAutomation/__init__.py so it loads in every
  process (Django web, manage.py CLI, celery workers, pytest with
  DJANGO_SETTINGS_MODULE set).

Note: SCA scanners detect by version, not behavior, so CTO-4807 will
still flag urllib3==2.6.3. Requesting a risk-acceptance from security
with this mitigation as justification, pending the Python upgrade that
unblocks urllib3 2.7.0.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tech-sushant