Disable multipart uploads by default

DoctorJohn commented 1 week ago

Description

This PR disables support for the GraphQL multipart request spec (i.e, multipart uploads) by default and adjusts the Django view to no longer be implicitly exempted from Django's built-in CSRF protection.

These are breaking changes for those using multipart uploads AND/OR the Django view integration.

Types of Changes

[ ] Core
[ ] Bugfix
[ ] New feature
[x] Enhancement/optimization
[x] Documentation

Summary by Sourcery

Disable multipart uploads by default and remove implicit CSRF exemption for Django views, requiring users to opt-in for these features. Update documentation and tests to reflect these changes and add release notes for the breaking changes.

Enhancements:

Disable multipart uploads by default, requiring explicit enabling through a new configuration option.
Remove implicit CSRF exemption for Django views, requiring users to manually apply CSRF exemptions if needed.

Documentation:

Update documentation to reflect changes in multipart upload configuration and CSRF protection for Django views.
Add a new section in the breaking changes documentation detailing the changes in multipart uploads and CSRF protection.

Tests:

Modify tests to accommodate the new default behavior of multipart uploads being disabled, including adding tests for the disabled state.

Chores:

Add a new release note detailing the breaking changes introduced in this version.

sourcery-ai[bot] commented 1 week ago

Reviewer's Guide by Sourcery

This pull request disables multipart uploads by default and adjusts the Django view to no longer be implicitly exempted from Django's built-in CSRF protection. These changes are aimed at improving security by making users explicitly opt-in to features that may have security implications.

File-Level Changes

Change	Details	Files
Disabled multipart uploads by default	Added a new 'multipart_uploads_enabled' parameter to various view classes and functions, defaulting to False Modified HTTP body parsing logic to check for 'multipart_uploads_enabled' before processing multipart form data Updated documentation for all integrations to mention the new 'multipart_uploads_enabled' option	`strawberry/http/async_base_view.py` `strawberry/http/sync_base_view.py` `strawberry/django/views.py` `strawberry/aiohttp/views.py` `strawberry/asgi/__init__.py` `strawberry/channels/handlers/http_handler.py` `strawberry/fastapi/router.py` `strawberry/flask/views.py` `strawberry/quart/views.py` `strawberry/sanic/views.py` `strawberry/litestar/controller.py` `docs/integrations/django.md` `docs/integrations/sanic.md` `docs/integrations/aiohttp.md` `docs/integrations/asgi.md` `docs/integrations/flask.md` `docs/integrations/quart.md` `docs/integrations/channels.md` `docs/integrations/fastapi.md` `docs/integrations/litestar.md`
Removed implicit CSRF exemption from Django view	Removed @method_decorator(csrf_exempt) from Django view dispatch methods Updated Django integration documentation to show how to manually apply csrf_exempt if needed	`strawberry/django/views.py` `docs/integrations/django.md`
Updated tests to accommodate new multipart upload behavior	Added 'multipart_uploads_enabled' parameter to test client initializations Modified upload tests to use enabled HTTP clients	`tests/http/test_upload.py` `tests/http/clients/channels.py` `tests/http/clients/django.py` `tests/http/clients/aiohttp.py` `tests/http/clients/asgi.py` `tests/http/clients/async_flask.py` `tests/http/clients/fastapi.py` `tests/http/clients/flask.py` `tests/http/clients/litestar.py` `tests/http/clients/quart.py` `tests/http/clients/sanic.py` `tests/http/clients/async_django.py` `tests/http/clients/base.py` `tests/http/clients/chalice.py`
Added documentation for breaking changes	Created a new breaking changes document for version 0.243.0 Updated the main breaking changes list to include the new version	`docs/breaking-changes/0.243.0.md` `docs/breaking-changes.md`
Added release notes	Created RELEASE.md file with information about the breaking changes and migration guides	`RELEASE.md`

Sequence Diagram

sequenceDiagram
    participant C as Client
    participant V as Strawberry View
    participant H as HTTP Handler
    C->>V: HTTP Request
    V->>H: Parse HTTP Body
    alt multipart_uploads_enabled is True
        H->>H: Process Multipart Data
    else multipart_uploads_enabled is False
        H->>H: Reject Multipart Data
    end
    H->>V: Parsed Data
    V->>C: HTTP Response

Tips

- Trigger a new Sourcery review by commenting `@sourcery-ai review` on the pull request. - Continue your discussion with Sourcery by replying directly to review comments. - You can change your review settings at any time by accessing your [dashboard](https://app.sourcery.ai): - Enable or disable the Sourcery-generated pull request summary or reviewer's guide; - Change the review language; - You can always [contact us](mailto:support@sourcery.ai) if you have any questions or feedback.

botberry commented 1 week ago

Thanks for adding the RELEASE.md file!

Here's a preview of the changelog:

Starting with this release, multipart uploads are disabled by default and Strawberry Django view is no longer implicitly exempted from Django's CSRF protection. Both changes relieve users from implicit security implications inherited from the GraphQL multipart request specification which was enabled in Strawberry by default.

These are breaking changes if you are using multipart uploads OR the Strawberry Django view. Migrations guides including further information are available on the Strawberry website.

Here's the tweet text:

🆕 Release (next) is out! Thanks to @NucleonJohn 👏

We've made some important security changes regarding file uploads and CSRF in
Django.

Check out our migration guides if you're using multipart or Django view.

👇 https://strawberry.rocks/release/(next)

codecov[bot] commented 1 week ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 96.76%. Comparing base (18f0f5d) to head (f5d9b0b). Report is 1 commits behind head on main.

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #3645 +/- ## =========================================== + Coverage 72.55% 96.76% +24.21% =========================================== Files 518 522 +4 Lines 32647 33824 +1177 Branches 3772 5635 +1863 =========================================== + Hits 23687 32731 +9044 + Misses 8532 863 -7669 + Partials 428 230 -198 ```

codspeed-hq[bot] commented 1 week ago

CodSpeed Performance Report

Merging #3645 will not alter performance

_{Comparing DoctorJohn:disable-multipart-uploads-by-default (f5d9b0b) with main (18f0f5d)}

Summary

✅ 15 untouched benchmarks

strawberry-graphql / strawberry