fix: harden auth middleware against Starlette BadHost (CVE-2026-48710)

[yeldarby]

Summary

Patches CVE-2026-48710 ("BadHost"), a Starlette < 1.0.1 vulnerability where request.url.path is derived from the unvalidated Host header. A crafted Host (e.g. Host: x/docs?) makes request.url.path read as an allowlisted route while ASGI routes the request to an authenticated handler — bypassing the API-key check.

Both API-key auth middlewares in inference/core/interfaces/http/http_api.py gate their public-path allowlist on request.url.path, so both were affected:

• GCP Serverless: http_api.py:704-744
• Dedicated Deployment: http_api.py:980-1000

Defense in depth:

• Bump deps: requirements/_requirements.txt:8-9 — fastapi>=0.116.0,<0.120 plus an explicit starlette>=1.0.1 floor (belt-and-suspenders in case a transitive dep narrows FastAPI's resolution).
• Swap path source: read from request.scope["path"] (the raw ASGI path, untouched by Host) inside both middlewares. Allowlist contents and startswith logic preserved exactly — only the source of the path string changed.

Logging/telemetry uses of request.url.path (lines 479, 501, 580, 795, 1120, 1155) are informational, not authorization decisions, and are intentionally left as-is per the remediation scope.

Test plan

Added test_serverless_auth_middleware_rejects_host_header_path_injection which sends six Host-injection variants (testserver/docs?, testserver?/docs, testserver/healthz?, testserver/_next/x, testserver/static/x, testserver#/docs) to a protected endpoint and asserts each returns 401, not 200.

• New Host-injection test passes against the local environment (Starlette 0.37.2, a vulnerable version) — confirming the scope["path"] defense holds independent of the Starlette version.
• Same test was verified to fail when the code change is reverted, proving it catches the bypass.
• All 11 tests in tests/inference/unit_tests/core/interfaces/http/test_http_api.py pass. The 5 pre-existing failures in test_run_uvicorn_script.py (test-pollution when run together with test_http_api.py) are present on main and unrelated to this change.

Follow-ups (deliberately out of scope)

• No TrustedHostMiddleware — needs per-service decision once legitimate Host variance is enumerated across GCP Serverless and Dedicated Deployment.
• Logging/telemetry call sites left unchanged.
• No changes to allowlist contents or middleware structure.

References: badhost.org, CVE-2026-48710, OSTIF disclosure.

🤖 Generated with Claude Code

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5101e201fa

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​starlette@​1.1.0
	pypi/​fastapi@​0.115.14 ⏵ 0.136.3	+1

View full report

[yeldarby]

Pushed an update based on internal code review:

#	Item	Resolution
1	Dedicated-deployment middleware test	Fixed. Added test_dedicated_deployment_auth_middleware_rejects_host_header_path_injection + _build_dedicated_deployment_interface helper. Verified under vulnerable Starlette 0.37.2: reverting just the dedicated middleware back to request.url.path makes the new test fail on the first variant ('testserver/docs?': expected 401, got 200).
2	current_request_path.set(request.url.path)	Fixed. Swapped to request.scope["path"]. Traced the ContextVar → _model_request_paths (base.py:217-221) → request_paths field on the model-info response (base.py:644). Currently informational, but cheap to harden and prevents future surprises.
3	http.target span attribute	Fixed. Swapped to scope_path (already in scope at L795). The span describes the auth decision itself, so the log-forging concern there is the strongest.
4	Log helpers (_log_serverless_authorization_denial, _log_serverless_request_received)	Deferred. The original remediation writeup explicitly scoped these out (Logging uses... are informational only — leave them alone). I'd rather do them as a focused follow-up that updates the helpers' signatures consistently than wedge it in here. Filed as TODO.
5	safe_request_path(request) DRY helper	Skipped. Out of scope per writeup's "don't refactor" instruction; happy to add it in the same follow-up that touches the log helpers.
6	Comment on serverless-vs-dedicated allowlist divergence	Skipped. Out of scope.
7	FastAPI bump size	Acknowledged. Verified locally that the unit tests pass on both fastapi==0.133.0 and fastapi==0.135.4 paired with Starlette 1.1.0, and that on_event is still deprecated-but-functional. The scope-path swap alone is sufficient to close the CVE (proven by the regression test on Starlette 0.37.2), so if the dep bump introduces a regression, the requirements line can be reverted without losing the security fix.

Re: log-forging coverage in the deferred follow-up — I'll open a tracking issue for items 4-6 once this lands.