search

canonical / test_observer

Flutter based dashboard for visualising SRU regression test results
3 stars 3 forks source link

Update dependency aiohttp to v3.10.11 [SECURITY] #205

Open renovate[bot] opened 3 months ago

renovate[bot] commented 3 months ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
aiohttp 3.9.5 -> 3.10.11 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-42367

Summary

Static routes which contain files with compressed variants (.gz or .br extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.

Details

The server protects static routes from path traversal outside the root directory when follow_symlinks=False (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the FileResponse class, and symbolic links are then automatically followed when performing Path.stat() and Path.open() to send the file.

Impact

Servers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.

Patch: https://github.com/aio-libs/aiohttp/pull/8653/files

CVE-2024-52304

Summary

The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions.

Impact

If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections.

Patch: https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71

Release Notes

aio-libs/aiohttp (aiohttp) ### [`v3.10.11`](https://redirect.github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#31011-2024-11-13) [Compare Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.10.10...v3.10.11) \==================== ## Bug fixes - Authentication provided by a redirect now takes precedence over provided `auth` when making requests with the client -- by :user:`PLPeeters`. *Related issues and pull requests on GitHub:* :issue:`9436`. - Fixed :py:meth:`WebSocketResponse.close() ` to discard non-close messages within its timeout window after sending close -- by :user:`lenard-mosys`. *Related issues and pull requests on GitHub:* :issue:`9506`. - Fixed a deadlock that could occur while attempting to get a new connection slot after a timeout -- by :user:`bdraco`. The connector was not cancellation-safe. *Related issues and pull requests on GitHub:* :issue:`9670`, :issue:`9671`. - Fixed the WebSocket flow control calculation undercounting with multi-byte data -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9686`. - Fixed incorrect parsing of chunk extensions with the pure Python parser -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9851`. - Fixed system routes polluting the middleware cache -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9852`. ## Removals and backward incompatible breaking changes - Improved performance of the connector when a connection can be reused -- by :user:`bdraco`. If `BaseConnector.connect` has been subclassed and replaced with custom logic, the `ceil_timeout` must be added. *Related issues and pull requests on GitHub:* :issue:`9600`. ## Miscellaneous internal changes - Improved performance of the client request lifecycle when there are no cookies -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9470`. - Improved performance of sending client requests when the writer can finish synchronously -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9485`. - Improved performance of serializing HTTP headers -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9603`. - Passing `enable_cleanup_closed` to :py:class:`aiohttp.TCPConnector` is now ignored on Python 3.12.7+ and 3.13.1+ since the underlying bug that caused asyncio to leak SSL connections has been fixed upstream -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9726`, :issue:`9736`. *** ### [`v3.10.10`](https://redirect.github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#31010-2024-10-10) [Compare Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.10.9...v3.10.10) \==================== ## Bug fixes - Fixed error messages from :py:class:`~aiohttp.resolver.AsyncResolver` being swallowed -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9451`, :issue:`9455`. ## Features - Added :exc:`aiohttp.ClientConnectorDNSError` for differentiating DNS resolution errors from other connector errors -- by :user:`mstojcevich`. *Related issues and pull requests on GitHub:* :issue:`8455`. ## Miscellaneous internal changes - Simplified DNS resolution throttling code to reduce chance of race conditions -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9454`. *** ### [`v3.10.9`](https://redirect.github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3109-2024-10-04) [Compare Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.10.8...v3.10.9) \=================== ## Bug fixes - Fixed proxy headers being used in the `ConnectionKey` hash when a proxy was not being used -- by :user:`bdraco`. If default headers are used, they are also used for proxy headers. This could have led to creating connections that were not needed when one was already available. *Related issues and pull requests on GitHub:* :issue:`9368`. - Widened the type of the `trace_request_ctx` parameter of :meth:`ClientSession.request() ` and friends \-- by :user:`layday`. *Related issues and pull requests on GitHub:* :issue:`9397`. ## Removals and backward incompatible breaking changes - Fixed failure to try next host after single-host connection timeout -- by :user:`brettdh`. The default client :class:`aiohttp.ClientTimeout` params has changed to include a `sock_connect` timeout of 30 seconds so that this correct behavior happens by default. *Related issues and pull requests on GitHub:* :issue:`7342`. ## Miscellaneous internal changes - Improved performance of resolving hosts with Python 3.12+ -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9342`. - Reduced memory required for timer objects created during the client request lifecycle -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9406`. *** ### [`v3.10.8`](https://redirect.github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3108-2024-09-28) [Compare Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.10.7...v3.10.8) \=================== ## Bug fixes - Fixed cancellation leaking upwards on timeout -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9326`. *** ### [`v3.10.7`](https://redirect.github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3107-2024-09-27) [Compare Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.10.6...v3.10.7) \=================== ## Bug fixes - Fixed assembling the :class:`~yarl.URL` for web requests when the host contains a non-default port or IPv6 address -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9309`. ## Miscellaneous internal changes - Improved performance of determining if a URL is absolute -- by :user:`bdraco`. The property :attr:`~yarl.URL.absolute` is more performant than the method `URL.is_absolute()` and preferred when newer versions of yarl are used. *Related issues and pull requests on GitHub:* :issue:`9171`. - Replaced code that can now be handled by `yarl` -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9301`. *** ### [`v3.10.6`](https://redirect.github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3106-2024-09-24) [Compare Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.10.5...v3.10.6) \=================== ## Bug fixes - Added :exc:`aiohttp.ClientConnectionResetError`. Client code that previously threw :exc:`ConnectionResetError` will now throw this -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`9137`. - Fixed an unclosed transport `ResourceWarning` on web handlers -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8875`. - Fixed resolve_host() 'Task was destroyed but is pending' errors -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8967`. - Fixed handling of some file-like objects (e.g. `tarfile.extractfile()`) which raise `AttributeError` instead of `OSError` when `fileno` fails for streaming payload data -- by :user:`ReallyReivax`. *Related issues and pull requests on GitHub:* :issue:`6732`. - Fixed web router not matching pre-encoded URLs (requires yarl 1.9.6+) -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8898`, :issue:`9267`. - Fixed an error when trying to add a route for multiple methods with a path containing a regex pattern -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8998`. - Fixed `Response.text` when body is a `Payload` -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`6485`. - Fixed compressed requests failing when no body was provided -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`9108`. - Fixed client incorrectly reusing a connection when the previous message had not been fully sent -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8992`. - Fixed race condition that could cause server to close connection incorrectly at keepalive timeout -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`9140`. - Fixed Python parser chunked handling with multiple Transfer-Encoding values -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8823`. - Fixed error handling after 100-continue so server sends 500 response instead of disconnecting -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8876`. - Stopped adding a default Content-Type header when response has no content -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8858`. - Added support for URL credentials with empty (zero-length) username, e.g. `https://:password@host` -- by :user:`shuckc` *Related issues and pull requests on GitHub:* :issue:`6494`. - Stopped logging exceptions from `web.run_app()` that would be raised regardless -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`6807`. - Implemented binding to IPv6 addresses in the pytest server fixture. *Related issues and pull requests on GitHub:* :issue:`4650`. - Fixed the incorrect use of flags for `getnameinfo()` in the Resolver --by :user:`GitNMLee` Link-Local IPv6 addresses can now be handled by the Resolver correctly. *Related issues and pull requests on GitHub:* :issue:`9032`. - Fixed StreamResponse.prepared to return True after EOF is sent -- by :user:`arthurdarcet`. *Related issues and pull requests on GitHub:* :issue:`5343`. - Changed `make_mocked_request()` to use empty payload by default -- by :user:`rahulnht`. *Related issues and pull requests on GitHub:* :issue:`7167`. - Used more precise type for `ClientResponseError.headers`, fixing some type errors when using them -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8768`. - Changed behavior when returning an invalid response to send a 500 response -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8845`. - Fixed response reading from closed session to throw an error immediately instead of timing out -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8878`. - Fixed `CancelledError` from one cleanup context stopping other contexts from completing -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8908`. - Fixed changing scheme/host in `Response.clone()` for absolute URLs -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8990`. - Fixed `Site.name` when host is an empty string -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8929`. - Updated Python parser to reject messages after a close message, matching C parser behaviour -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`9018`. - Fixed creation of `SSLContext` inside of :py:class:`aiohttp.TCPConnector` with multiple event loops in different threads -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9029`. - Fixed (on Python 3.11+) some edge cases where a task cancellation may get incorrectly suppressed -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`9030`. - Fixed exception information getting lost on `HttpProcessingError` -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`9052`. - Fixed `If-None-Match` not using weak comparison -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`9063`. - Fixed badly encoded charset crashing when getting response text instead of falling back to charset detector. *Related issues and pull requests on GitHub:* :issue:`9160`. - Rejected `\n` in `reason` values to avoid sending broken HTTP messages -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`9167`. - Changed :py:meth:`ClientResponse.raise_for_status() ` to only release the connection when invoked outside an `async with` context -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`9239`. ## Features - Improved type on `params` to match the underlying type allowed by `yarl` -- by :user:`lpetre`. *Related issues and pull requests on GitHub:* :issue:`8564`. - Declared Python 3.13 supported -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`8748`. ## Removals and backward incompatible breaking changes - Improved middleware performance -- by :user:`bdraco`. The `set_current_app` method was removed from `UrlMappingMatchInfo` because it is no longer used, and it was unlikely external caller would ever use it. *Related issues and pull requests on GitHub:* :issue:`9200`. - Increased minimum yarl version to 1.12.0 -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9267`. ## Improved documentation - Clarified that `GracefulExit` needs to be handled in `AppRunner` and `ServerRunner` when using `handle_signals=True`. -- by :user:`Daste745` *Related issues and pull requests on GitHub:* :issue:`4414`. - Clarified that auth parameter in ClientSession will persist and be included with any request to any origin, even during redirects to different origins. -- by :user:`MaximZemskov`. *Related issues and pull requests on GitHub:* :issue:`6764`. - Clarified which timeout exceptions happen on which timeouts -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8968`. - Updated `ClientSession` parameters to match current code -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8991`. ## Packaging updates and notes for downstreams - Fixed `test_client_session_timeout_zero` to not require internet access -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`9004`. ## Miscellaneous internal changes - Improved performance of making requests when there are no auto headers to skip -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`8847`. - Exported `aiohttp.TraceRequestHeadersSentParams` -- by :user:`Hadock-is-ok`. *Related issues and pull requests on GitHub:* :issue:`8947`. - Avoided tracing overhead in the http writer when there are no active traces -- by user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9031`. - Improved performance of reify Cython implementation -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9054`. - Use :meth:`URL.extend_query() ` to extend query params (requires yarl 1.11.0+) -- by :user:`bdraco`. If yarl is older than 1.11.0, the previous slower hand rolled version will be used. *Related issues and pull requests on GitHub:* :issue:`9068`. - Improved performance of checking if a host is an IP Address -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9095`. - Significantly improved performance of middlewares -- by :user:`bdraco`. The construction of the middleware wrappers is now cached and is built once per handler instead of on every request. *Related issues and pull requests on GitHub:* :issue:`9158`, :issue:`9170`. - Improved performance of web requests -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9168`, :issue:`9169`, :issue:`9172`, :issue:`9174`, :issue:`9175`, :issue:`9241`. - Improved performance of starting web requests when there is no response prepare hook -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9173`. - Significantly improved performance of expiring cookies -- by :user:`bdraco`. Expiring cookies has been redesigned to use :mod:`heapq` instead of a linear search, to better scale. *Related issues and pull requests on GitHub:* :issue:`9203`. - Significantly sped up filtering cookies -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`9204`. *** ### [`v3.10.5`](https://redirect.github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3105-2024-08-19) [Compare Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.10.4...v3.10.5) \========================= ## Bug fixes - Fixed :meth:`aiohttp.ClientResponse.json()` not setting `status` when :exc:`aiohttp.ContentTypeError` is raised -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`8742`. ## Miscellaneous internal changes - Improved performance of the WebSocket reader -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`8736`, :issue:`8747`. *** ### [`v3.10.4`](https://redirect.github.com/aio-libs/aiohttp/compare/v3.10.3...v3.10.4) [Compare Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.10.3...v3.10.4) ### [`v3.10.3`](https://redirect.github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3103-2024-08-10) [Compare Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.10.2...v3.10.3) \======================== ## Bug fixes - Fixed multipart reading when stream buffer splits the boundary over several read() calls -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8653`. - Fixed :py:class:`aiohttp.TCPConnector` doing blocking I/O in the event loop to create the `SSLContext` -- by :user:`bdraco`. The blocking I/O would only happen once per verify mode. However, it could cause the event loop to block for a long time if the `SSLContext` creation is slow, which is more likely during startup when the disk cache is not yet present. *Related issues and pull requests on GitHub:* :issue:`8672`. ## Miscellaneous internal changes - Improved performance of :py:meth:`~aiohttp.ClientWebSocketResponse.receive` and :py:meth:`~aiohttp.web.WebSocketResponse.receive` when there is no timeout. -- by :user:`bdraco`. The timeout context manager is now avoided when there is no timeout as it accounted for up to 50% of the time spent in the :py:meth:`~aiohttp.ClientWebSocketResponse.receive` and :py:meth:`~aiohttp.web.WebSocketResponse.receive` methods. *Related issues and pull requests on GitHub:* :issue:`8660`. - Improved performance of starting request handlers with Python 3.12+ -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`8661`. - Improved performance of HTTP keep-alive checks -- by :user:`bdraco`. Previously, when processing a request for a keep-alive connection, the keep-alive check would happen every second; the check is now rescheduled if it fires too early instead. *Related issues and pull requests on GitHub:* :issue:`8662`. - Improved performance of generating random WebSocket mask -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`8667`. *** ### [`v3.10.2`](https://redirect.github.com/aio-libs/aiohttp/blob/HEAD/CHANGES.rst#3102-2024-08-08) [Compare Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.10.1...v3.10.2) \=================== ## Bug fixes - Fixed server checks for circular symbolic links to be compatible with Python 3.13 -- by :user:`steverep`. *Related issues and pull requests on GitHub:* :issue:`8565`. - Fixed request body not being read when ignoring an Upgrade request -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8597`. - Fixed an edge case where shutdown would wait for timeout when the handler was already completed -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8611`. - Fixed connecting to `npipe://`, `tcp://`, and `unix://` urls -- by :user:`bdraco`. *Related issues and pull requests on GitHub:* :issue:`8632`. - Fixed WebSocket ping tasks being prematurely garbage collected -- by :user:`bdraco`. There was a small risk that WebSocket ping tasks would be prematurely garbage collected because the event loop only holds a weak reference to the task. The garbage collection risk has been fixed by holding a strong reference to the task. Additionally, the task is now scheduled eagerly with Python 3.12+ to increase the chance it can be completed immediately and avoid having to hold any references to the task. *Related issues and pull requests on GitHub:* :issue:`8641`. - Fixed incorrectly following symlinks for compressed file variants -- by :user:`steverep`. *Related issues and pull requests on GitHub:* :issue:`8652`. ## Removals and backward incompatible breaking changes - Removed `Request.wait_for_disconnection()`, which was mistakenly added briefly in 3.10.0 -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8636`. ## Contributor-facing changes - Fixed monkey patches for `Path.stat()` and `Path.is_dir()` for Python 3.13 compatibility -- by :user:`steverep`. *Related issues and pull requests on GitHub:* :issue:`8551`. ## Miscellaneous internal changes - Improved WebSocket performance when messages are sent or received frequently -- by :user:`bdraco`. The WebSocket heartbeat scheduling algorithm was improved to reduce the `asyncio` scheduling overhead by decreasing the number of `asyncio.TimerHandle` creations and cancellations. *Related issues and pull requests on GitHub:* :issue:`8608`. - Minor improvements to various type annotations -- by :user:`Dreamsorcerer`. *Related issues and pull requests on GitHub:* :issue:`8634`. *** ### [`v3.10.1`](https://redirect.github.com/aio-libs/aiohttp/compare/v3.10.0...v3.10.1) [Compare Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.10.0...v3.10.1) ### [`v3.10.0`](https://redirect.github.com/aio-libs/aiohttp/compare/v3.9.5...v3.10.0) [Compare Source](https://redirect.github.com/aio-libs/aiohttp/compare/v3.9.5...v3.10.0)

Configuration

πŸ“… Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

β™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

πŸ”• Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.