Merge pull request #70 from busykoala/mo/cwe-fastapi

Update fastapi due to vulnerability.
busykoala · Feb 7, 2024 · 4953bbd · 4953bbd
2 parents 5feeb76 + 9e8870c
commit 4953bbd
Show file tree

Hide file tree

Showing 8 changed files with 555 additions and 732 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -10,12 +10,12 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [3.7, 3.8, 3.9, "3.10", "3.11"]
+        python-version: [3.8, 3.9, "3.10", "3.11", "3.12"]
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python-version }}
     - name: Update system deps

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Change Log
 
+## [2.0.0] - 2024-02-07
+- Drop Python 3.7 support due to FastAPI update
+- Update dependencies due to vulnerabilities:
+  - [fastapi](https://github.com/advisories/GHSA-qf9m-vfgh-m389)
+
 ## [1.4.8] - 2024-01-12
 - Optionally use `x-forwarded-` cookies when reconstructing redirect path for OIDC
 

diff --git a/fastapi_opa/auth/auth_api_key.py b/fastapi_opa/auth/auth_api_key.py
@@ -34,5 +34,5 @@ async def authenticate(
             raise AuthenticationException("Unauthorized")
         return {
             "user": "APIKey",
-            "client": request.client.host,
+            "client": request.client.host if request.client else "",
         }
diff --git a/fastapi_opa/auth/auth_oidc.py b/fastapi_opa/auth/auth_oidc.py
@@ -107,12 +107,18 @@ async def authenticate(
     ) -> Union[RedirectResponse, Dict]:
         callback_uri = urlunparse(
             [
-                request.headers.get("x-forwarded-proto", request.url.scheme)
-                if self.config.trust_x_headers
-                else request.url.scheme,
-                request.headers.get("x-forwarded-host", request.url.netloc)
-                if self.config.trust_x_headers
-                else request.url.netloc,
+                (
+                    request.headers.get(
+                        "x-forwarded-proto", request.url.scheme
+                    )
+                    if self.config.trust_x_headers
+                    else request.url.scheme
+                ),
+                (
+                    request.headers.get("x-forwarded-host", request.url.netloc)
+                    if self.config.trust_x_headers
+                    else request.url.netloc
+                ),
                 request.url.path,
                 "",
                 "",
@@ -160,7 +166,7 @@ def get_auth_redirect_uri(self, callback_uri):
 
     def get_auth_token(self, code: str, callback_uri: str) -> Dict:
         authentication_string = "Basic " + b64encode(
-            f"{self.config.client_id}:{self.config.client_secret}".encode(
+            f"{self.config.client_id}:{self.config.client_secret}".encode(  # noqa
                 "utf-8"
             )
         ).decode("utf-8")

diff --git a/fastapi_opa/auth/auth_saml.py b/fastapi_opa/auth/auth_saml.py
@@ -64,7 +64,7 @@ async def init_saml_auth(self, request_args: Dict) -> OneLogin_Saml2_Auth:
 
     async def single_log_out_from_idp(
         self, request: Request
-    ) -> (Union[RedirectResponse, Dict]):
+    ) -> Union[RedirectResponse, Dict]:
         req_args = await self.prepare_request(request)
         if not req_args["get_data"].get("SAMLResponse") and (
             request.query_params.get("SAMLResponse")
@@ -112,7 +112,7 @@ async def single_sign_on(
     @staticmethod
     async def assertion_consumer_service(
         auth: OneLogin_Saml2_Auth, request_args: Dict, request: Request
-    ) -> (Union[RedirectResponse, Dict]):
+    ) -> Union[RedirectResponse, Dict]:
         auth.process_response()
         errors = auth.get_errors()
         if not len(errors) == 0:

diff --git a/fastapi_opa/opa/opa_middleware.py b/fastapi_opa/opa/opa_middleware.py
@@ -116,9 +116,9 @@ async def __call__(
                     request.url.path, injectable.skip_endpoints
                 ):
                     continue
-                user_info_or_auth_redirect[
-                    injectable.key
-                ] = await injectable.extract(request)
+                user_info_or_auth_redirect[injectable.key] = (
+                    await injectable.extract(request)
+                )
         user_info_or_auth_redirect["request_method"] = scope.get("method")
         # fmt: off
         user_info_or_auth_redirect["request_path"] = scope.get("path").split("/")[1:]  # noqa

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "fastapi-opa"
-version = "1.4.8"
+version = "2.0.0"
 description = "Fastapi OPA middleware incl. auth flow."
 authors = ["Matthias Osswald <info@busykoala.io>"]
 license = "GPL-3.0-or-later"
@@ -10,8 +10,8 @@ keywords = ["fastapi", "oidc", "authentication", "authorization", "saml"]
 exclude = ["fastapi_opa/example_oidc.py", "fastapi_opa/example_saml.py"]
 
 [tool.poetry.dependencies]
-python = ">= 3.7, < 4.0"
-fastapi = ">= 0.65.2"
+python = ">= 3.8, < 4.0"
+fastapi = ">= 0.109.2"
 itsdangerous = "*"
 requests = "*"
 PyJWT = {extras = ["crypto"], version = ">= 2.4"}
@@ -24,7 +24,8 @@ flake8 = "*"
 black = "*"
 isort = "*"
 bandit = "*"
-pytest = "*"
+# temp: pin down due to issue with pytest-asyncio
+pytest = "< 8.0.0"
 pytest-mock = "*"
 mock = "*"
 freezegun = "*"