chore(deps): update dependency starlette to ^0.27.0 [security] #219
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^0.26.1
->^0.27.0
GitHub Vulnerability Alerts
CVE-2023-29159
Summary
When using
StaticFiles
, if there's a file or directory that starts with the same name as theStaticFiles
directory, that file or directory is also exposed viaStaticFiles
which is a path traversal vulnerability.Details
The root cause of this issue is the usage of
os.path.commonprefix()
:https://github.com/encode/starlette/blob/4bab981d9e870f6cee1bd4cd59b87ddaf355b2dc/starlette/staticfiles.py#L172-L174
As stated in the Python documentation (https://docs.python.org/3/library/os.path.html#os.path.commonprefix) this function returns the longest prefix common to paths.
When passing a path like
/static/../static1.txt
,os.path.commonprefix([full_path, directory])
returns./static
which is the common part of./static1.txt
and./static
, It refers to/static/../static1.txt
because it is considered in the staticfiles directory. As a result, it becomes possible to view files that should not be open to the public.The solution is to use
os.path.commonpath
as the Python documentation explains thatos.path.commonprefix
works a character at a time, it does not treat the arguments as paths.PoC
In order to reproduce the issue, you need to create the following structure:
And run the
Starlette
app with:And running the commands:
The
static1.txt
and the directorystatic_disallow
are exposed.Impact
Confidentiality is breached: An attacker may obtain files that should not be open to the public.
Credits
Security researcher Masashi Yamane of LAC Co., Ltd reported this vulnerability to JPCERT/CC Vulnerability Coordination Group and they contacted us to coordinate a patch for the security issue.
Release Notes
encode/starlette
v0.27.0
: Version 0.27.0Compare Source
This release fixes a path traversal vulnerability in
StaticFiles
. You can view the full security advisory:GHSA-v5gw-mw7f-84px
Added
send_json
https://github.com/encode/starlette/pull/2128Fixed
commonprefix
bycommonpath
onStaticFiles
1797de4.Full Changelog: encode/starlette@0.26.1...0.27.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.