Skip to content

Update dependency aiohttp to v3.8.5 [SECURITY]#477

Merged
ctalkington merged 1 commit into
masterfrom
renovate/pypi-aiohttp-vulnerability
Aug 15, 2023
Merged

Update dependency aiohttp to v3.8.5 [SECURITY]#477
ctalkington merged 1 commit into
masterfrom
renovate/pypi-aiohttp-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Jul 20, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
aiohttp 3.8.4 -> 3.8.5 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-37276

Impact

aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6 which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel.

This vulnerability only affects users of aiohttp as an HTTP server (ie aiohttp.Application), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie aiohttp.ClientSession).

Reproducer

from aiohttp import web

async def example(request: web.Request):
    headers = dict(request.headers)
    body = await request.content.read()
    return web.Response(text=f"headers: {headers} body: {body}")

app = web.Application()
app.add_routes([web.post('/', example)])
web.run_app(app)

Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling.

$ printf "POST / HTTP/1.1\r\nHost: localhost:8080\r\nX-Abc: \rxTransfer-Encoding: chunked\r\n\r\n1\r\nA\r\n0\r\n\r\n" \
  | nc localhost 8080

Expected output:
  headers: {'Host': 'localhost:8080', 'X-Abc': '\rxTransfer-Encoding: chunked'} body: b''

Actual output (note that 'Transfer-Encoding: chunked' is an HTTP header now and body is treated differently)
  headers: {'Host': 'localhost:8080', 'X-Abc': '', 'Transfer-Encoding': 'chunked'} body: b'A'

Patches

Upgrade to the latest version of aiohttp to resolve this vulnerability. It has been fixed in v3.8.5: pip install aiohttp >= 3.8.5

Workarounds

If you aren't able to upgrade you can reinstall aiohttp using AIOHTTP_NO_EXTENSIONS=1 as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable to request smuggling:

$ python -m pip uninstall --yes aiohttp
$ AIOHTTP_NO_EXTENSIONS=1 python -m pip install --no-binary=aiohttp --no-cache aiohttp

References

Release Notes

aio-libs/aiohttp (aiohttp)

v3.8.5: 3.8.5

Compare Source

Security bugfixes

  • Upgraded the vendored copy of llhttp_ to v8.1.1 -- by :user:webknjaz
    and :user:Dreamsorcerer.

    Thanks to :user:sethmlarson for reporting this and providing us with
    comprehensive reproducer, workarounds and fixing details! For more
    information, see
    GHSA-45c4-8wx5-qw6w.

    .. _llhttp: https://llhttp.org

    (#​7346)

Features

  • Added information to C parser exceptions to show which character caused the error. -- by :user:Dreamsorcerer

    (#​7366)

Bugfixes

  • Fixed a transport is :data:None error -- by :user:Dreamsorcerer.

    (#​3355)

Configuration

📅 Schedule: Branch creation - "" in timezone America/Chicago, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate Bot added dependencies Upgrade or downgrade of project dependencies. python Pull requests that update Python code labels Jul 20, 2023
@codecov
Copy link
Copy Markdown

codecov Bot commented Jul 20, 2023
edited
Loading

Codecov Report

Merging #477 (4e38d55) into master (1b5653b) will not change coverage.
Report is 2 commits behind head on master.
The diff coverage is n/a.

❗ Current head 4e38d55 differs from pull request most recent head cef0ff6. Consider uploading reports for the commit cef0ff6 to get more accurate results

@@           Coverage Diff           @@
##           master     #477   +/-   ##
=======================================
  Coverage   95.23%   95.23%           
=======================================
  Files           9        9           
  Lines         818      818           
  Branches      122      122           
=======================================
  Hits          779      779           
  Misses         14       14           
  Partials       25       25

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@renovate renovate Bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 4e38d55 to cef0ff6 Compare August 15, 2023 03:20
@ctalkington ctalkington merged commit 8cae9a8 into master Aug 15, 2023
@ctalkington ctalkington deleted the renovate/pypi-aiohttp-vulnerability branch August 15, 2023 03:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Upgrade or downgrade of project dependencies. python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ctalkington