Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency aiohttp to v3.8.5 [SECURITY] #593

Merged
merged 1 commit into from
Aug 15, 2023
Merged

Update dependency aiohttp to v3.8.5 [SECURITY] #593

merged 1 commit into from
Aug 15, 2023

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 20, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
aiohttp 3.8.4 -> 3.8.5 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-37276

Impact

aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6 which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel.

This vulnerability only affects users of aiohttp as an HTTP server (ie aiohttp.Application), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie aiohttp.ClientSession).

Reproducer

from aiohttp import web

async def example(request: web.Request):
    headers = dict(request.headers)
    body = await request.content.read()
    return web.Response(text=f"headers: {headers} body: {body}")

app = web.Application()
app.add_routes([web.post('/', example)])
web.run_app(app)

Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling.

$ printf "POST / HTTP/1.1\r\nHost: localhost:8080\r\nX-Abc: \rxTransfer-Encoding: chunked\r\n\r\n1\r\nA\r\n0\r\n\r\n" \
  | nc localhost 8080

Expected output:
  headers: {'Host': 'localhost:8080', 'X-Abc': '\rxTransfer-Encoding: chunked'} body: b''

Actual output (note that 'Transfer-Encoding: chunked' is an HTTP header now and body is treated differently)
  headers: {'Host': 'localhost:8080', 'X-Abc': '', 'Transfer-Encoding': 'chunked'} body: b'A'

Patches

Upgrade to the latest version of aiohttp to resolve this vulnerability. It has been fixed in v3.8.5: pip install aiohttp >= 3.8.5

Workarounds

If you aren't able to upgrade you can reinstall aiohttp using AIOHTTP_NO_EXTENSIONS=1 as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable to request smuggling:

$ python -m pip uninstall --yes aiohttp
$ AIOHTTP_NO_EXTENSIONS=1 python -m pip install --no-binary=aiohttp --no-cache aiohttp

References

Release Notes

aio-libs/aiohttp (aiohttp)

v3.8.5: 3.8.5

Compare Source

Security bugfixes

  • Upgraded the vendored copy of llhttp_ to v8.1.1 -- by :user:webknjaz
    and :user:Dreamsorcerer.

    Thanks to :user:sethmlarson for reporting this and providing us with
    comprehensive reproducer, workarounds and fixing details! For more
    information, see
    GHSA-45c4-8wx5-qw6w.

    .. _llhttp: https://llhttp.org

    (#​7346)

Features

  • Added information to C parser exceptions to show which character caused the error. -- by :user:Dreamsorcerer

    (#​7366)

Bugfixes

  • Fixed a transport is :data:None error -- by :user:Dreamsorcerer.

    (#​3355)

Configuration

📅 Schedule: Branch creation - "" in timezone America/Chicago, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added dependencies Upgrade or downgrade of project dependencies. python labels Jul 20, 2023
@codecov
Copy link

codecov bot commented Jul 20, 2023
edited

Codecov Report

Merging #593 (10915b9) into main (ac9c599) will increase coverage by 0.02%.
Report is 10 commits behind head on main.
The diff coverage is 95.83%.

❗ Current head 10915b9 differs from pull request most recent head d996afd. Consider uploading reports for the commit d996afd to get more accurate results

@@            Coverage Diff             @@
##             main     #593      +/-   ##
==========================================
+ Coverage   96.06%   96.09%   +0.02%     
==========================================
  Files           7        7              
  Lines         432      435       +3     
  Branches       85       86       +1     
==========================================
+ Hits          415      418       +3     
  Misses          4        4              
  Partials       13       13
Files Changed Coverage Δ
src/rokuecp/resolver.py 89.47% <0.00%> (ø)
src/rokuecp/__init__.py 100.00% <100.00%> (ø)
src/rokuecp/helpers.py 89.28% <100.00%> (+0.19%) ⬆️
src/rokuecp/models.py 95.97% <100.00%> (ø)
src/rokuecp/rokuecp.py 98.52% <100.00%> (+<0.01%) ⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@renovate renovate bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 10915b9 to d996afd Compare August 15, 2023 03:37
@ctalkington ctalkington merged commit 5322090 into main Aug 15, 2023
12 of 13 checks passed
@ctalkington ctalkington deleted the renovate/pypi-aiohttp-vulnerability branch August 15, 2023 03:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Upgrade or downgrade of project dependencies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@ctalkington