Update dependency aiohttp to v3.9.2 [SECURITY] (main)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
aiohttp	==3.9.1 -> ==3.9.2

GitHub Vulnerability Alerts

CVE-2024-23829

Summary

Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input.

Details

These problems are rooted in pattern matching protocol elements, previously improved by PR #​3235 and GHSA-gfw2-4jvh-wgfg:

1. The expression HTTP/(\d).(\d) lacked another backslash to clarify that the separator should be a literal dot, not just any Unicode code point (result: HTTP/(\d)\.(\d)).

2. The HTTP version was permitting Unicode digits, where only ASCII digits are standards-compliant.

3. Distinct regular expressions for validating HTTP Method and Header field names were used - though both should (at least) apply the common restrictions of rfc9110 token.

PoC

GET / HTTP/1ö1
GET / HTTP/1.𝟙
GET/: HTTP/1.1
Content-Encoding?: chunked

Impact

Primarily concerns running an aiohttp server without llhttp:

1. behind a proxy: Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling.
2. directly accessible or exposed behind proxies relaying malformed input: the unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities.

---

Patch: https://github.com/aio-libs/aiohttp/pull/8074/files

CVE-2024-23334

Summary

Improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system.

Details

When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if a given file path is within the root directory.This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.

i.e. An application is only vulnerable with setup code like:

app.router.add_routes([
    web.static("/static", "static/", follow_symlinks=True),  # Remove follow_symlinks to avoid the vulnerability
])

Impact

This is a directory traversal vulnerability with CWE ID 22. When using aiohttp as a web server and enabling static resource resolution with follow_symlinks set to True, it can lead to this vulnerability. This vulnerability has been present since the introduction of the follow_symlinks parameter.

Workaround

Even if upgrading to a patched version of aiohttp, we recommend following these steps regardless.

If using follow_symlinks=True outside of a restricted local development environment, disable the option immediately. This option is NOT needed to follow symlinks which point to a location within the static root directory, it is only intended to allow a symlink to break out of the static directory. Even with this CVE fixed, there is still a substantial risk of misconfiguration when using this option on a server that accepts requests from remote users.

Additionally, aiohttp has always recommended using a reverse proxy server (such as nginx) to handle static resources and not to use these static resources in aiohttp for production environments. Doing so also protects against this vulnerability, and is why we expect the number of affected users to be very low.

---

Patch: https://github.com/aio-libs/aiohttp/pull/8079/files

---

aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators

CVE-2024-23829 / GHSA-8qpw-xqxj-h4r2 / PYSEC-2024-26

More information

Details

Summary

Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input.

Details

These problems are rooted in pattern matching protocol elements, previously improved by PR #​3235 and GHSA-gfw2-4jvh-wgfg:

1. The expression HTTP/(\d).(\d) lacked another backslash to clarify that the separator should be a literal dot, not just any Unicode code point (result: HTTP/(\d)\.(\d)).

2. The HTTP version was permitting Unicode digits, where only ASCII digits are standards-compliant.

3. Distinct regular expressions for validating HTTP Method and Header field names were used - though both should (at least) apply the common restrictions of rfc9110 token.

PoC

GET / HTTP/1ö1
GET / HTTP/1.𝟙
GET/: HTTP/1.1
Content-Encoding?: chunked

Impact

Primarily concerns running an aiohttp server without llhttp:

1. behind a proxy: Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling.
2. directly accessible or exposed behind proxies relaying malformed input: the unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities.

---

Patch: https://github.com/aio-libs/aiohttp/pull/8074/files

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References

• https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2
• https://github.com/aio-libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg
• https://nvd.nist.gov/vuln/detail/CVE-2024-23829
• https://github.com/aio-libs/aiohttp/pull/3235
• https://github.com/aio-libs/aiohttp/pull/8074
• https://github.com/aio-libs/aiohttp/pull/8074/files
• https://github.com/aio-libs/aiohttp/commit/33ccdfb0a12690af5bb49bda2319ec0907fa7827
• https://github.com/aio-libs/aiohttp
• https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2024-26.yaml
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

CVE-2024-23334 / GHSA-5h86-8mv2-jq9f / PYSEC-2024-24

More information

Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if reading a file is within the root directory. This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present. Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this issue.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f
• https://github.com/aio-libs/aiohttp/pull/8079
• https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

---

CVE-2024-23829 / GHSA-8qpw-xqxj-h4r2 / PYSEC-2024-26

More information

Details

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References

• https://github.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2
• https://github.com/aio-libs/aiohttp/pull/8074
• https://github.com/aio-libs/aiohttp/commit/33ccdfb0a12690af5bb49bda2319ec0907fa7827
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7/

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).

---

aiohttp is vulnerable to directory traversal

CVE-2024-23334 / GHSA-5h86-8mv2-jq9f / PYSEC-2024-24

More information

Details

Summary

Improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system.

Details

When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if a given file path is within the root directory.This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.

i.e. An application is only vulnerable with setup code like:

app.router.add_routes([
    web.static("/static", "static/", follow_symlinks=True),  # Remove follow_symlinks to avoid the vulnerability
])

Impact

This is a directory traversal vulnerability with CWE ID 22. When using aiohttp as a web server and enabling static resource resolution with follow_symlinks set to True, it can lead to this vulnerability. This vulnerability has been present since the introduction of the follow_symlinks parameter.

Workaround

Even if upgrading to a patched version of aiohttp, we recommend following these steps regardless.

If using follow_symlinks=True outside of a restricted local development environment, disable the option immediately. This option is NOT needed to follow symlinks which point to a location within the static root directory, it is only intended to allow a symlink to break out of the static directory. Even with this CVE fixed, there is still a substantial risk of misconfiguration when using this option on a server that accepts requests from remote users.

Additionally, aiohttp has always recommended using a reverse proxy server (such as nginx) to handle static resources and not to use these static resources in aiohttp for production environments. Doing so also protects against this vulnerability, and is why we expect the number of affected users to be very low.

---

Patch: https://github.com/aio-libs/aiohttp/pull/8079/files

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f
• https://nvd.nist.gov/vuln/detail/CVE-2024-23334
• https://github.com/aio-libs/aiohttp/pull/8079
• https://github.com/aio-libs/aiohttp/pull/8079/files
• https://github.com/aio-libs/aiohttp/commit/1c335944d6a8b1298baf179b7c0b3069f10c514b
• https://github.com/aio-libs/aiohttp
• https://github.com/pypa/advisory-database/tree/main/vulns/aiohttp/PYSEC-2024-24.yaml
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICUOCFGTB25WUT336BZ4UNYLSZOUVKBD
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XXWVZIVAYWEBHNRIILZVB3R3SDQNNAA7

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

aio-libs/aiohttp (aiohttp)

v3.9.2

Compare Source

==================

Bug fixes

• Fixed server-side websocket connection leak.

  Related issues and pull requests on GitHub:
  :issue:7978.

• Fixed web.FileResponse doing blocking I/O in the event loop.

  Related issues and pull requests on GitHub:
  :issue:8012.

• Fixed double compress when compression enabled and compressed file exists in server file responses.

  Related issues and pull requests on GitHub:
  :issue:8014.

• Added runtime type check for ClientSession timeout parameter.

  Related issues and pull requests on GitHub:
  :issue:8021.

• Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.

  Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
  Invalid header field names containing question mark or slash are now rejected.
  Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.

  Related issues and pull requests on GitHub:
  :issue:8074.

• Improved validation of paths for static resources requests to the server -- by :user:bdraco.

  Related issues and pull requests on GitHub:
  :issue:8079.

Features

• Added support for passing :py:data:True to ssl parameter in ClientSession while
  deprecating :py:data:None -- by :user:xiangyan99.

  Related issues and pull requests on GitHub:
  :issue:7698.

Breaking changes

• Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.

  Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
  Invalid header field names containing question mark or slash are now rejected.
  Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.

  Related issues and pull requests on GitHub:
  :issue:8074.

Improved documentation

• Fixed examples of fallback_charset_resolver function in the :doc:client_advanced document. -- by :user:henry0312.

  Related issues and pull requests on GitHub:
  :issue:7995.

• The Sphinx setup was updated to avoid showing the empty
  changelog draft section in the tagged release documentation
  builds on Read The Docs -- by :user:webknjaz.

  Related issues and pull requests on GitHub:
  :issue:8067.

Packaging updates and notes for downstreams

• The changelog categorization was made clearer. The
  contributors can now mark their fragment files more
  accurately -- by :user:webknjaz.

  The new category tags are:

  * ``bugfix``
  
  * ``feature``
  
  * ``deprecation``
  
  * ``breaking`` (previously, ``removal``)
  
  * ``doc``
  
  * ``packaging``
  
  * ``contrib``
  
  * ``misc``
  

  Related issues and pull requests on GitHub:
  :issue:8066.

Contributor-facing changes

• Updated :ref:contributing/Tests coverage <aiohttp-contributing> section to show how we use codecov -- by :user:Dreamsorcerer.

  Related issues and pull requests on GitHub:
  :issue:7916.

• The changelog categorization was made clearer. The
  contributors can now mark their fragment files more
  accurately -- by :user:webknjaz.

  The new category tags are:

  * ``bugfix``
  
  * ``feature``
  
  * ``deprecation``
  
  * ``breaking`` (previously, ``removal``)
  
  * ``doc``
  
  * ``packaging``
  
  * ``contrib``
  
  * ``misc``
  

  Related issues and pull requests on GitHub:
  :issue:8066.

Miscellaneous internal changes

• Replaced all tmpdir fixtures with tmp_path in test suite.

  Related issues and pull requests on GitHub:
  :issue:3551.

---

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (==3.9.2). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.