-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency aiohttp to v3.10.2 [security] #1102
Merged
holtskinner
merged 1 commit into
GoogleCloudPlatform:main
from
renovate-bot:renovate/pypi-aiohttp-vulnerability
Sep 17, 2024
Merged
chore(deps): update dependency aiohttp to v3.10.2 [security] #1102
holtskinner
merged 1 commit into
GoogleCloudPlatform:main
from
renovate-bot:renovate/pypi-aiohttp-vulnerability
Sep 17, 2024
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
owlbot:run
Add this label to trigger the Owlbot post processor.
label
Sep 17, 2024
gcf-owl-bot
bot
removed
the
owlbot:run
Add this label to trigger the Owlbot post processor.
label
Sep 17, 2024
nhootan
pushed a commit
to nhootan/generative-ai
that referenced
this pull request
Sep 18, 2024
…loudPlatform#1102) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [aiohttp](https://github.com/aio-libs/aiohttp) | `3.9.5` -> `3.10.2` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/aiohttp/3.10.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/aiohttp/3.10.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/aiohttp/3.9.5/3.10.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/aiohttp/3.9.5/3.10.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- > [!WARNING] > Some dependencies could not be looked up. Check the warning logs for more information. ### GitHub Vulnerability Alerts #### [CVE-2024-42367](https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj) ### Summary Static routes which contain files with compressed variants (`.gz` or `.br` extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links. ### Details The server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing `Path.stat()` and `Path.open()` to send the file. ### Impact Servers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted. ---- Patch: [https://github.com/aio-libs/aiohttp/pull/8653](https://github.com/aio-libs/aiohttp/pull/8653)/files --- ### Release Notes <details> <summary>aio-libs/aiohttp (aiohttp)</summary> ### [`v3.10.2`](https://github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3102-2024-08-08) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.10.1...v3.10.2) \=================== ## Bug fixes - Fixed server checks for circular symbolic links to be compatible with Python 3.13 -- by :user:`steverep`. *Related issues and pull requests on GitHub:* :issue:`8565`. - Fixed request body not being read when ignoring an Upgrade request -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8597`. - Fixed an edge case where shutdown would wait for timeout when the handler was already completed -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8611`. - Fixed connecting to `npipe://`, `tcp://`, and `unix://` urls -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`8632`. - Fixed WebSocket ping tasks being prematurely garbage collected -- by :user:`bdraco`. There was a small risk that WebSocket ping tasks would be prematurely garbage collected because the event loop only holds a weak reference to the task. The garbage collection risk has been fixed by holding a strong reference to the task. Additionally, the task is now scheduled eagerly with Python 3.12+ to increase the chance it can be completed immediately and avoid having to hold any references to the task. *Related issues and pull requests on GitHub:* :issue:`8641`. - Fixed incorrectly following symlinks for compressed file variants -- by :user:`steverep`. *Related issues and pull requests on GitHub:* :issue:`8652`. ## Removals and backward incompatible breaking changes - Removed `Request.wait_for_disconnection()`, which was mistakenly added briefly in 3.10.0 -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8636`. ## Contributor-facing changes - Fixed monkey patches for `Path.stat()` and `Path.is_dir()` for Python 3.13 compatibility -- by :user:`steverep`. *Related issues and pull requests on GitHub:* :issue:`8551`. ## Miscellaneous internal changes - Improved WebSocket performance when messages are sent or received frequently -- by :user:`bdraco`. The WebSocket heartbeat scheduling algorithm was improved to reduce the `asyncio` scheduling overhead by decreasing the number of `asyncio.TimerHandle` creations and cancellations. *Related issues and pull requests on GitHub:* :issue:`8608`. - Minor improvements to various type annotations -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8634`. *** ### [`v3.10.1`](https://github.com/aio-libs/aiohttp/compare/v3.10.0...v3.10.1) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.10.0...v3.10.1) ### [`v3.10.0`](https://github.com/aio-libs/aiohttp/compare/v3.9.5...v3.10.0) [Compare Source](https://github.com/aio-libs/aiohttp/compare/v3.9.5...v3.10.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/GoogleCloudPlatform/generative-ai). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC44MC4wIiwidXBkYXRlZEluVmVyIjoiMzguODAuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.9.5
->3.10.2
Warning
Some dependencies could not be looked up. Check the warning logs for more information.
GitHub Vulnerability Alerts
CVE-2024-42367
Summary
Static routes which contain files with compressed variants (
.gz
or.br
extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.Details
The server protects static routes from path traversal outside the root directory when
follow_symlinks=False
(default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in theFileResponse
class, and symbolic links are then automatically followed when performingPath.stat()
andPath.open()
to send the file.Impact
Servers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.
Patch: https://github.com/aio-libs/aiohttp/pull/8653/files
Release Notes
aio-libs/aiohttp (aiohttp)
v3.10.2
Compare Source
===================
Bug fixes
Fixed server checks for circular symbolic links to be compatible with Python 3.13 -- by :user:
steverep
.Related issues and pull requests on GitHub:
:issue:
8565
.Fixed request body not being read when ignoring an Upgrade request -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8597
.Fixed an edge case where shutdown would wait for timeout when the handler was already completed -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8611
.Fixed connecting to
npipe://
,tcp://
, andunix://
urls -- by :user:bdraco
.Related issues and pull requests on GitHub:
:issue:
8632
.Fixed WebSocket ping tasks being prematurely garbage collected -- by :user:
bdraco
.There was a small risk that WebSocket ping tasks would be prematurely garbage collected because the event loop only holds a weak reference to the task. The garbage collection risk has been fixed by holding a strong reference to the task. Additionally, the task is now scheduled eagerly with Python 3.12+ to increase the chance it can be completed immediately and avoid having to hold any references to the task.
Related issues and pull requests on GitHub:
:issue:
8641
.Fixed incorrectly following symlinks for compressed file variants -- by :user:
steverep
.Related issues and pull requests on GitHub:
:issue:
8652
.Removals and backward incompatible breaking changes
Removed
Request.wait_for_disconnection()
, which was mistakenly added briefly in 3.10.0 -- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8636
.Contributor-facing changes
Fixed monkey patches for
Path.stat()
andPath.is_dir()
for Python 3.13 compatibility -- by :user:steverep
.Related issues and pull requests on GitHub:
:issue:
8551
.Miscellaneous internal changes
Improved WebSocket performance when messages are sent or received frequently -- by :user:
bdraco
.The WebSocket heartbeat scheduling algorithm was improved to reduce the
asyncio
scheduling overhead by decreasing the number ofasyncio.TimerHandle
creations and cancellations.Related issues and pull requests on GitHub:
:issue:
8608
.Minor improvements to various type annotations -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8634
.v3.10.1
Compare Source
v3.10.0
Compare Source
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.