Update dependency starlette to v0.25.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
starlette (changelog)	==0.13.2 -> ==0.25.0

GitHub Vulnerability Alerts

GHSA-74m5-2c7w-9w3x

Impact

The MultipartParser using the package python-multipart accepts an unlimited number of multipart parts (form fields or files).

Processing too many parts results in high CPU usage and high memory usage, eventually leading to an OOM process kill.

This can be triggered by sending too many small form fields with no content, or too many empty files.

For this to take effect application code has to:

• Have python-multipart installed and
• call request.form()
  • or via another framework like FastAPI, using form field parameters or UploadFile parameters, which in turn calls request.form().

Patches

The vulnerability is solved in Starlette 0.25.0 by making the maximum fields and files customizable and with a sensible default (1000).

Applications will be secure by just upgrading their Starlette version to 0.25.0 (or FastAPI to 0.92.0).

If application code needs to customize the new max field and file number, there are new request.form() parameters (with the default values):

• max_files=1000
• max_fields=1000

Workarounds

Applications that don't install python-multipart or that don't use form fields are safe.

In older versions, it's also possible to instead of calling request.form() call request.stream() and parse the form data in internal code.

In most cases, the best solution is to upgrade the Starlette version.

References

This was reported in private by @​das7pad via internal email. He also coordinated the fix across multiple frameworks and parsers.

The details about how multipart/form-data is structured and parsed are in the RFC 7578.

---

Release Notes

encode/starlette

v0.25.0: Version 0.25.0

Compare Source

Fixed

• Limit the number of fields and files when parsing multipart/form-data on the MultipartParser 8c74c2c and #​2036.

v0.24.0: Version 0.24.0

Compare Source

Added

• Allow StaticFiles to follow symlinks #​1683.
• Allow Request.form() as a context manager #​1903.
• Add size attribute to UploadFile #​1405.
• Add env_prefix argument to Config #​1990.
• Add template context processors #​1904.
• Support str and datetime on expires parameter on the Response.set_cookie method #​1908.

Changed

• Lazily build the middleware stack #​2017.
• Make the file argument required on UploadFile #​1413.
• Use debug extension instead of custom response template extension #​1991.

Fixed

• Fix url parsing of ipv6 urls on URL.replace #​1965.

v0.23.1: Version 0.23.1

Compare Source

Fixed

• Only stop receiving stream on body_stream if body is empty on the BaseHTTPMiddleware #​1940.

v0.23.0: Version 0.23.0

Compare Source

Added

• Add headers parameter to the TestClient #​1966.

Deprecated

• Deprecate Starlette and Router decorators #​1897.

Fixed

• Fix bug on FloatConvertor regex #​1973.

v0.22.0: Version 0.22.0

Compare Source

Changed

• Bypass GZipMiddleware when response includes Content-Encoding #​1901.

Fixed

• Remove unneeded unquote() from query parameters on the TestClient #​1953.
• Make sure MutableHeaders._list is actually a list #​1917.
• Import compatibility with the next version of AnyIO #​1936.

v0.21.0: Version 0.21.0

Compare Source

This release replaces the underlying HTTP client used on the TestClient (requests ➡️ httpx), and as those clients differ a bit on their API, your test suite will likely break. To make the migration smoother, you can use the bump-testclient tool.

Changed

• Replace requests with httpx in TestClient #​1376.

Added

• Add WebSocketException and support for WebSocket exception handlers #​1263.
• Add middleware parameter to Mount class #​1649.
• Officially support Python 3.11 #​1863.
• Implement __repr__ for route classes #​1864.

Fixed

• Fix bug on which BackgroundTasks were cancelled when using BaseHTTPMiddleware and client disconnected #​1715.

v0.20.4: Version 0.20.4

Compare Source

Fixed

• Remove converter from path when generating OpenAPI schema #​1648.

v0.20.3: Version 0.20.3

Compare Source

Fixed

• Revert "Allow StaticFiles to follow symlinks" #​1681.

v0.20.2: Version 0.20.2

Compare Source

Fixed

• Fix regression on route paths with colons #​1675.
• Allow StaticFiles to follow symlinks #​1337.

v0.20.1: Version 0.20.1

Compare Source

Fixed

• Improve detection of async callables #​1444.
• Send 400 (Bad Request) when boundary is missing #​1617.
• Send 400 (Bad Request) when missing "name" field on Content-Disposition header #​1643.
• Do not send empty data to StreamingResponse on BaseHTTPMiddleware #​1609.
• Add __bool__ dunder for Secret #​1625.

v0.20.0: Version 0.20.0

Compare Source

Removed

• Drop Python 3.6 support #​1357 and #​1616.

v0.19.1: Version 0.19.1

Compare Source

Fixed

• Fix inference of Route.name when created from methods #​1553.
• Avoid TypeError on websocket.disconnect when code is None #​1574.

Deprecated

• Deprecate WS_1004_NO_STATUS_RCVD and WS_1005_ABNORMAL_CLOSURE in favor of WS_1005_NO_STATUS_RCVD and WS_1006_ABNORMAL_CLOSURE, as the previous constants didn't match the WebSockets specs #​1580.

v0.19.0: Version 0.19.0

Compare Source

Added

• Error handler will always run, even if the error happens on a background task #​761.
• Add headers parameter to HTTPException #​1435.
• Internal responses with 405 status code insert an Allow header, as described by RFC 7231 #​1436.
• The content argument in JSONResponse is now required #​1431.
• Add custom URL convertor register #​1437.
• Add content disposition type parameter to FileResponse #​1266.
• Add next query param with original request URL in requires decorator #​920.
• Add raw_path to TestClient scope #​1445.
• Add union operators to MutableHeaders #​1240.
• Display missing route details on debug page #​1363.
• Change anyio required version range to >=3.4.0,<5.0 #​1421 and #​1460.
• Add typing-extensions>=3.10 requirement - used only on lower versions than Python 3.10 #​1475.

Fixed

• Prevent BaseHTTPMiddleware from hiding errors of StreamingResponse and mounted applications #​1459.
• SessionMiddleware uses an explicit path=..., instead of defaulting to the ASGI 'root_path' #​1512.
• Request.client is now compliant with the ASGI specifications #​1462.
• Raise KeyError at early stage for missing boundary #​1349.

Deprecated

• Deprecate WSGIMiddleware in favor of a2wsgi #​1504.
• Deprecate run_until_first_complete #​1443.

v0.18.0: Version 0.18.0

Compare Source

Added

• Change default chunk size from 4Kb to 64Kb on FileResponse #​1345.
• Add support for functools.partial in WebSocketRoute #​1356.
• Add StaticFiles packages with directory #​1350.
• Allow environment options in Jinja2Templates #​1401.
• Allow HEAD method on HttpEndpoint #​1346.
• Accept additional headers on websocket.accept message #​1361 and #​1422.
• Add reason to WebSocket close ASGI event #​1417.
• Add headers attribute to UploadFile #​1382.
• Don't omit Content-Length header for Content-Length: 0 cases #​1395.
• Don't set headers for responses with 1xx, 204 and 304 status code #​1397.
• SessionMiddleware.max_age now accepts None, so cookie can last as long as the browser session #​1387.

Fixed

• Tweak hashlib.md5() function on FileResponses ETag generation. The parameter usedforsecurity flag is set to False, if the flag is available on the system. This fixes an error raised on systems with FIPS enabled #​1366 and #​1410.
• Fix path_params type on url_path_for() method i.e. turn str into Any #​1341.
• Host now ignores port on routing #​1322.

v0.17.1: Version 0.17.1

Compare Source

Fixed

• Fix IndexError in authentication requires when wrapped function arguments are distributed between *args and **kwargs #​1335.

v0.17.0: Version 0.17.0

Compare Source

Added

• Response.delete_cookie now accepts the same parameters as Response.set_cookie #​1228.
• Update the Jinja2Templates constructor to allow PathLike #​1292.

Fixed

• Fix BadSignature exception handling in SessionMiddleware #​1264.
• Change HTTPConnection.__getitem__ return type from str to typing.Any #​1118.
• Change ImmutableMultiDict.getlist return type from typing.List[str] to typing.List[typing.Any] #​1235.
• Handle OSError exceptions on StaticFiles #​1220.
• Fix StaticFiles 404.html in HTML mode #​1314.
• Prevent anyio.ExceptionGroup in error views under a BaseHTTPMiddleware #​1262.

Removed

• Remove GraphQL support #​1198.

v0.16.0: Version 0.16.0

Compare Source

Added

• Added Encode funding option
  #​1219

Fixed

• starlette.websockets.WebSocket instances are now hashable and compare by identity
  #​1039
• A number of fixes related to running task groups in lifespan
  #​1213,
  #​1227

Deprecated/removed

• The method starlette.templates.Jinja2Templates.get_env was removed
  #​1218
• The ClassVar starlette.testclient.TestClient.async_backend was removed,
  the backend is now configured using constructor kwargs
  #​1211
• Passing an Async Generator Function or a Generator Function to starlette.router.Router(lifespan_context=) is deprecated. You should wrap your lifespan in @contextlib.asynccontextmanager.
  #​1227
  #​1110

v0.15.0: Version 0.15.0

Compare Source

0.15.0

This release includes major changes to the low-level asynchronous parts of Starlette. As a result, Starlette now depends on AnyIO and some minor API changes have occurred. Another significant change with this release is the deprecation of built-in GraphQL support.

Added

• Starlette now supports Trio as an async runtime via AnyIO - #​1157.
• TestClient.websocket_connect() now must be used as a context manager.
• Initial support for Python 3.10 - #​1201.
• The compression level used in GZipMiddleware is now adjustable - #​1128.

Fixed

• Several fixes to CORSMiddleware. See #​1111, #​1112, #​1113, #​1199.
• Improved exception messages in the case of duplicated path parameter names - #​1177.
• RedirectResponse now uses quote instead of quote_plus encoding for the Location header to better match the behaviour in other frameworks such as Django - #​1164.
• Exception causes are now preserved in more cases - #​1158.
• Session cookies now use the ASGI root path in the case of mounted applications - #​1147.
• Fixed a cache invalidation bug when static files were deleted in certain circumstances - #​1023.
• Improved memory usage of BaseHTTPMiddleware when handling large responses - #​1012 fixed via #​1157

Deprecated/removed

• Built-in GraphQL support via the GraphQLApp class has been deprecated and will be removed in a future release. Please see #​619. GraphQL is not supported on Python 3.10.
• The executor parameter to GraphQLApp was removed. Use executor_class instead.
• The workers parameter to WSGIMiddleware was removed. This hasn't had any effect since Starlette v0.6.3.

v0.14.2: Version 0.14.2

Compare Source

Fixed

• Fixed ServerErrorMiddleware compatibility with Python 3.9.1/3.8.7 when debug mode is enabled - #​1132.
• Fixed unclosed socket ResourceWarnings when using the TestClient with WebSocket endpoints - #​1132.
• Improved detection of async endpoints wrapped in functools.partial on Python 3.8+ - #​1106.

v0.14.1: Version 0.14.1

Compare Source

Removed

• UJSONResponse was removed (this change was intended to be included in 0.14.0). Please see the documentation for how to implement responses using custom JSON serialization - #​1074.

v0.14.0: Version 0.14.0

Compare Source

Added

• Starlette now officially supports Python3.9.
• In StreamingResponse, allow custom async iterator such as objects from classes implementing __aiter__.
• Allow usage of functools.partial async handlers in Python versions 3.6 and 3.7.
• Add 418 I'm A Teapot status code.

Changed

• Create tasks from handler coroutines before sending them to asyncio.wait.
• Use format_exception instead of format_tb in ServerErrorMiddleware's debug responses.
• Be more lenient with handler arguments when using the requires decorator.

v0.13.8: Version 0.13.8

Compare Source

• Revert Queue(maxsize=1) fix for BaseHTTPMiddleware middleware classes and streaming responses.

• The StaticFiles constructor now allows pathlib.Path in addition to strings for its directory argument.

v0.13.7: Version 0.13.7

Compare Source

• Fix high memory usage when using BaseHTTPMiddleware middleware classes and streaming responses.

v0.13.6: Version 0.13.6

Compare Source

• Fix 404 errors with StaticFiles.

v0.13.5: Version 0.13.5

Compare Source

0.13.5

• Add support for Starlette(lifespan=...) functions.
• More robust path-traversal check in StaticFiles app.
• Fix WSGI PATH_INFO encoding.
• RedirectResponse now accepts optional background parameter
• Allow path routes to contain regex meta characters
• Treat ASGI HTTP 'body' as an optional key.
• Don't use thread pooling for writing to in-memory upload files.

v0.13.4: Version 0.13.4

Compare Source

• Add UUID convertor. #​903
• More lenient cookie parsing. #​900

v0.13.3

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.