Closed DoctorJohn closed 6 days ago
This pull request disables multipart uploads by default and adjusts the Django view to no longer be implicitly exempted from Django's built-in CSRF protection. These changes are aimed at improving security by making users explicitly opt-in to features that may have security implications.
Change | Details | Files |
---|---|---|
Disabled multipart uploads by default |
|
strawberry/http/async_base_view.py strawberry/http/sync_base_view.py strawberry/django/views.py strawberry/aiohttp/views.py strawberry/asgi/__init__.py strawberry/channels/handlers/http_handler.py strawberry/fastapi/router.py strawberry/flask/views.py strawberry/quart/views.py strawberry/sanic/views.py strawberry/litestar/controller.py docs/integrations/django.md docs/integrations/sanic.md docs/integrations/aiohttp.md docs/integrations/asgi.md docs/integrations/flask.md docs/integrations/quart.md docs/integrations/channels.md docs/integrations/fastapi.md docs/integrations/litestar.md |
Removed implicit CSRF exemption from Django view |
|
strawberry/django/views.py docs/integrations/django.md |
Updated tests to accommodate new multipart upload behavior |
|
tests/http/test_upload.py tests/http/clients/channels.py tests/http/clients/django.py tests/http/clients/aiohttp.py tests/http/clients/asgi.py tests/http/clients/async_flask.py tests/http/clients/fastapi.py tests/http/clients/flask.py tests/http/clients/litestar.py tests/http/clients/quart.py tests/http/clients/sanic.py tests/http/clients/async_django.py tests/http/clients/base.py tests/http/clients/chalice.py |
Added documentation for breaking changes |
|
docs/breaking-changes/0.243.0.md docs/breaking-changes.md |
Added release notes |
|
RELEASE.md |
sequenceDiagram
participant C as Client
participant V as Strawberry View
participant H as HTTP Handler
C->>V: HTTP Request
V->>H: Parse HTTP Body
alt multipart_uploads_enabled is True
H->>H: Process Multipart Data
else multipart_uploads_enabled is False
H->>H: Reject Multipart Data
end
H->>V: Parsed Data
V->>C: HTTP Response
Thanks for adding the RELEASE.md
file!
Here's a preview of the changelog:
Starting with this release, multipart uploads are disabled by default and Strawberry Django view is no longer implicitly exempted from Django's CSRF protection. Both changes relieve users from implicit security implications inherited from the GraphQL multipart request specification which was enabled in Strawberry by default.
These are breaking changes if you are using multipart uploads OR the Strawberry Django view. Migrations guides including further information are available on the Strawberry website.
Here's the tweet text:
š Release (next) is out! Thanks to @NucleonJohn š
We've made some important security changes regarding file uploads and CSRF in
Django.
Check out our migration guides if you're using multipart or Django view.
š https://strawberry.rocks/release/(next)
All modified and coverable lines are covered by tests :white_check_mark:
Project coverage is 96.76%. Comparing base (
18f0f5d
) to head (f5d9b0b
). Report is 1 commits behind head on main.
Comparing DoctorJohn:disable-multipart-uploads-by-default
(f5d9b0b) with main
(18f0f5d)
ā
15
untouched benchmarks
Description
This PR disables support for the GraphQL multipart request spec (i.e, multipart uploads) by default and adjusts the Django view to no longer be implicitly exempted from Django's built-in CSRF protection.
These are breaking changes for those using multipart uploads AND/OR the Django view integration.
Types of Changes
Summary by Sourcery
Disable multipart uploads by default and remove implicit CSRF exemption for Django views, requiring users to opt-in for these features. Update documentation and tests to reflect these changes and add release notes for the breaking changes.
Enhancements:
Documentation:
Tests:
Chores: