chore(deps): update dependency fastapi to v0.109.1 [security] #400
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==0.109.0
->==0.109.1
Review
GitHub Vulnerability Alerts
CVE-2024-24762
Summary
When using form data,
python-multipart
uses a Regular Expression to parse the HTTPContent-Type
header, including options.An attacker could send a custom-made
Content-Type
option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.This can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
This only applies when the app uses form data, parsed with
python-multipart
.Details
A regular HTTP
Content-Type
header could look like:python-multipart
parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74A custom option could be made and sent to the server to break it with:
This is also reported to Starlette at: https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238
PoC
Create a FastAPI app that uses form data:
Then start it with:
Then send the attacking request with:
$ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'
Stopping it
Because that holds the main loop consuming the CPU non-stop, it's not possible to simply kill Uvicorn with
Ctrl+C
as it can't handle the signal.To stop it, first check the process ID running Uvicorn:
In this case, the process ID was
59461
, then you can kill it (forcefully, with-9
) with:$ kill -9 59461
Impact
It's a ReDoS, (Regular expression Denial of Service), it only applies to those reading form data, using
python-multipart
. This way it also affects other libraries using Starlette, like FastAPI.Original Report
This was originally reported to FastAPI as an email to [email protected], sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r
Original report to FastAPI
Hey Tiangolo!
My name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).
Here are the details: I'm using the latest version of FastAPI (0.109.0) and the following code:
I'm running the above with uvicorn with the following command:
uvicorn server:app
Then run the following cUrl command:
You'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%
You can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server.
If you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.
Cheers
Impact
An attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.
Occurrences
params.py L586
Release Notes
tiangolo/fastapi (fastapi)
v0.109.1
Compare Source
Security fixes
python-multipart
to>=0.0.7
to fix a vulnerability when using form data with a ReDos attack. You can also simply upgradepython-multipart
.Read more in the advisory: Content-Type Header ReDoS.
Features
Refactors
fastapi/utils.py
. PR #10576 by @eukub.tests/test_tutorial/test_header_params/test_tutorial003.py
after fix in Starlette. PR #10904 by @ooknimm.Docs
help-fastapi.md
. PR #11040 by @tiangolo.fastapi/security/oauth2.py
. PR #10972 by @RafalSkolasinski.HTTPException
details indocs/en/docs/tutorial/handling-errors.md
. PR #5418 by @papb.docs/de/docs/tutorial/first-steps.md
. PR #10959 by @nilslindemann.docs/en/docs/advanced/async-tests.md
. PR #10960 by @nilslindemann.docs/tutorial/sql-databases.md
in several languages. PR #10716 by @theoohoho.external_links.yml
. PR #10943 by @Torabek.url_for
. PR #5937 by @EzzEddin.docs/en/docs/tutorial/bigger-applications.md
. PR #5490 by @papb.docs/en/docs/tutorial/static-files.md
. PR #10243 by @hungtsetse.en/docs/contributing.md
. PR #10480 by @nilslindemann.tutorial/bigger-applications.md
. PR #10552 by @nilslindemann.docs/en/docs/advanced/path-operation-advanced-configuration.md
. PR #10826 by @ahmedabdou14.Translations
docs/es/docs/external-links.md
. PR #10933 by @pablocm83.docs/ko/docs/tutorial/first-steps.md
,docs/ko/docs/tutorial/index.md
,docs/ko/docs/tutorial/path-params.md
, anddocs/ko/docs/tutorial/query-params.md
. PR #4218 by @SnowSuno.docs/zh/docs/tutorial/dependencies/dependencies-with-yield.md
. PR #10870 by @zhiquanchi.docs/zh/docs/deployment/concepts.md
. PR #10282 by @xzmeng.docs/az/docs/index.md
. PR #11047 by @aykhans.docs/ko/docs/tutorial/middleware.md
. PR #2829 by @JeongHyeongKim.docs/de/docs/tutorial/body-nested-models.md
. PR #10313 by @nilslindemann.docs/fa/docs/tutorial/middleware.md
. PR #9695 by @mojtabapaso.docs/fa/docs/index.md
. PR #10216 by @theonlykingpin.docs/de/docs/tutorial/body-fields.md
. PR #10310 by @nilslindemann.docs/de/docs/tutorial/body.md
. PR #10295 by @nilslindemann.docs/de/docs/tutorial/body-multiple-params.md
. PR #10308 by @nilslindemann.docs/ja/docs/tutorial/security/get-current-user.md
. PR #2681 by @sh0nk.docs/zh/docs/advanced/advanced-dependencies.md
. PR #3798 by @jaystone776.docs/zh/docs/advanced/events.md
. PR #3815 by @jaystone776.docs/zh/docs/advanced/behind-a-proxy.md
. PR #3820 by @jaystone776.docs/zh/docs/advanced/testing-events.md
. PR #3818 by @jaystone776.docs/zh/docs/advanced/testing-websockets.md
. PR #3817 by @jaystone776.docs/zh/docs/advanced/testing-database.md
. PR #3821 by @jaystone776.docs/zh/docs/deployment/deta.md
. PR #3837 by @jaystone776.docs/zh/docs/history-design-future.md
. PR #3832 by @jaystone776.docs/zh/docs/project-generation.md
. PR #3831 by @jaystone776.docs/zh/docs/deployment/docker.md
. PR #10296 by @xzmeng.docs/es/docs/features.md
. PR #10884 by @pablocm83.docs/es/docs/newsletter.md
. PR #10922 by @pablocm83.docs/ko/docs/tutorial/background-tasks.md
. PR #5910 by @junah201.docs/tr/docs/alternatives.md
. PR #10502 by @alperiox.docs/ko/docs/tutorial/dependencies/index.md
. PR #10989 by @KaniKim./docs/ko/docs/tutorial/body.md
. PR #11000 by @KaniKim.docs/pt/docs/tutorial/schema-extra-example.md
. PR #4065 by @luccasmmg.docs/tr/docs/history-design-future.md
. PR #11012 by @hasansezertasan.docs/tr/docs/resources/index.md
. PR #11020 by @hasansezertasan.docs/tr/docs/how-to/index.md
. PR #11021 by @hasansezertasan.docs/de/docs/tutorial/query-params.md
. PR #10293 by @nilslindemann.docs/de/docs/benchmarks.md
. PR #10866 by @nilslindemann.docs/tr/docs/learn/index.md
. PR #11014 by @hasansezertasan.docs/fa/docs/tutorial/security/index.md
. PR #9945 by @mojtabapaso.docs/tr/docs/help/index.md
. PR #11013 by @hasansezertasan.docs/tr/docs/about/index.md
. PR #11006 by @hasansezertasan.docs/tr/docs/benchmarks.md
. PR #11005 by @hasansezertasan.docs/it/docs/index.md
. PR #5233 by @matteospanio.docs/ko/docs/help/index.md
. PR #10983 by @KaniKim.docs/ko/docs/features.md
. PR #10976 by @KaniKim.docs/ko/docs/tutorial/security/get-current-user.md
. PR #5737 by @KdHyeon0661.docs/ru/docs/tutorial/security/first-steps.md
. PR #10541 by @AlertRED.docs/ru/docs/tutorial/handling-errors.md
. PR #10375 by @AlertRED.docs/ru/docs/tutorial/encoder.md
. PR #10374 by @AlertRED.docs/ru/docs/tutorial/body-updates.md
. PR #10373 by @AlertRED.fastapi-people.md
.. PR #10255 by @NiKuma0.docs/ja/docs/tutorial/security/index.md
. PR #5798 by @3w36zj6.docs/de/docs/advanced/generate-clients.md
. PR #10725 by @nilslindemann.docs/de/docs/advanced/openapi-webhooks.md
. PR #10712 by @nilslindemann.docs/de/docs/advanced/custom-response.md
. PR #10624 by @nilslindemann.docs/de/docs/advanced/additional-status-codes.md
. PR #10617 by @nilslindemann.docs/de/docs/tutorial/middleware.md
. PR #10391 by @JohannesJungbluth.docs/ja/docs/tutorial/encoder.md
. PR #1955 by @SwftAlpc.docs/ja/docs/tutorial/extra-data-types.md
. PR #1932 by @SwftAlpc.docs/tr/docs/async.md
. PR #5191 by @BilalAlpaslan.docs/tr/docs/project-generation.md
. PR #5192 by @BilalAlpaslan.docs/ko/docs/deployment/docker.md
. PR #5657 by @nearnear.docs/ko/docs/deployment/server-workers.md
. PR #4935 by @jujumilk3.docs/ko/docs/deployment/index.md
. PR #4561 by @jujumilk3.docs/ko/docs/tutorial/path-operation-configuration.md
. PR #3639 by @jungsu-kwon.zh
- Traditional Chinese. PR #10889 by @cherinyy.docs/ko/docs/tutorial/static-files.md
. PR #2957 by @jeesang7.docs/ko/docs/tutorial/response-model.md
. PR #2766 by @hard-coders.docs/ko/docs/tutorial/body-multiple-params.md
. PR #2461 by @PandaHun.docs/ko/docs/tutorial/query-params-str-validations.md
. PR #2415 by @hard-coders.docs/ko/docs/python-types.md
. PR #2267 by @jrim.docs/ko/docs/tutorial/body-nested-models.md
. PR #2506 by @hard-coders.docs/ko/docs/learn/index.md
. PR #10977 by @KaniKim.docs/de/docs/tutorial/index.md
. PR #10962 by @nilslindemann.docs/ko/docs/tutorial/path-params.md
. PR #10758 by @2chanhaeng.docs/ja/docs/tutorial/dependencies/dependencies-with-yield.md
. PR #1961 by @SwftAlpc.docs/ja/docs/tutorial/dependencies/dependencies-in-path-operation-decorators.md
. PR #1960 by @SwftAlpc.docs/ja/docs/tutorial/dependencies/sub-dependencies.md
. PR #1959 by @SwftAlpc.docs/ja/docs/tutorial/background-tasks.md
. PR #2668 by @tokusumi.docs/ja/docs/tutorial/dependencies/index.md
anddocs/ja/docs/tutorial/dependencies/classes-as-dependencies.md
. PR #1958 by @SwftAlpc.docs/ja/docs/tutorial/response-model.md
. PR #1938 by @SwftAlpc.docs/ja/docs/tutorial/body-multiple-params.md
. PR #1903 by @SwftAlpc.docs/ja/docs/tutorial/path-params-numeric-validations.md
. PR #1902 by @SwftAlpc.docs/ja/docs/python-types.md
. PR #1899 by @SwftAlpc.docs/ja/docs/tutorial/handling-errors.md
. PR #1953 by @SwftAlpc.docs/ja/docs/tutorial/response-status-code.md
. PR #1942 by @SwftAlpc.docs/ja/docs/tutorial/extra-models.md
. PR #1941 by @SwftAlpc.docs/ja/docs/tutorial/schema-extra-example.md
. PR #1931 by @SwftAlpc.docs/ja/docs/tutorial/body-nested-models.md
. PR #1930 by @SwftAlpc.docs/ja/docs/tutorial/body-fields.md
. PR #1923 by @SwftAlpc.docs/de/docs/tutorial/index.md
. PR #9502 by @fhabers21.docs/de/docs/tutorial/background-tasks.md
. PR #10566 by @nilslindemann.docs/ru/docs/index.md
. PR #10672 by @Delitel-WEB.docs/zh/docs/tutorial/extra-data-types.md
. PR #10727 by @HiemalBeryl.docs/ru/docs/tutorial/dependencies/classes-as-dependencies.md
. PR #10410 by @AlertRED.Internal
mkdocs.yml
. PR #11016 by @alejsdev.mkdocs.yml
languages in CI, updatedocs.py
. PR #11009 by @tiangolo.label-approved.yml
to accept translations with 1 reviewer. PR #11007 by @alejsdev.zh-hant
. PR #10950 by @tiangolo.Configuration
📅 Schedule: Branch creation - "" in timezone America/Montreal, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.