Page MenuHomeVyOS Platform
Create Task
Maniphest T5175

http-api: error in MultiPart parser for FastAPI version >= 0.91.0
Closed, ResolvedPublicBUG
Actions

Description

The http-api REST endpoints support both form data and JSON format requests. Request parsing for FastAPI versions >= 0.91.0 (Starlette versions >= 0.24.0) throw an error in the case of form data, likely due to stricter validation, similar to the issue in T3616.

This is a blocker for update of FastAPI for a reported security vulnerability, hence is 'unbreak now'.

Details

Difficulty level
Normal (likely a few hours)
Version
vyos-1.4
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects
Search...

Event Timeline

jestabro triaged this task as Unbreak Now! priority.Apr 23 2023, 1:39 PM
jestabro created this task.
jestabro created this object in space S1 VyOS Public.
jestabro updated the task description. (Show Details)Apr 23 2023, 1:44 PM
jestabro renamed this task from http-api: error in MultipPart parser for FastAPI version >= 0.90.0 to http-api: error in MultiPart parser for FastAPI version >= 0.90.0.Apr 23 2023, 2:10 PM
pasik added a subscriber: pasik.Apr 23 2023, 3:11 PM
jestabro renamed this task from http-api: error in MultiPart parser for FastAPI version >= 0.90.0 to http-api: error in MultiPart parser for FastAPI version >= 0.91.0.Apr 23 2023, 8:29 PM
jestabro updated the task description. (Show Details)
jestabro added a comment.Apr 23 2023, 8:35 PM

This has a simple fix: starlette commit c568b55d set the attribute

Request._form = None

to support use of Request.form() as a context manager. Since we override the Request class for backwards-compatibility support (translation) of form-data requests, we need to check for value, not existence, of the attribute. Adding this fix allows updating FastAPI past 0.91.0.

jestabro changed the task status from Open to In progress.Apr 23 2023, 8:35 PM
jestabro mentioned this in T5176: http-api: update vyos-http-api-tools for FastAPI security vulnerability.Apr 23 2023, 9:11 PM
jestabro added a subtask: T5176: http-api: update vyos-http-api-tools for FastAPI security vulnerability.
jestabro changed the task status from In progress to Backport candidate.Apr 24 2023, 2:02 PM
jestabro changed the task status from Backport candidate to Backport pending.
jestabro changed the status of subtask T5176: http-api: update vyos-http-api-tools for FastAPI security vulnerability from Open to Backport pending.
jestabro moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.
jestabro edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus.EditedApr 24 2023, 5:56 PM

PR for equuleus:
https://github.com/vyos/vyos-1x/pull/1969

jestabro closed subtask T5176: http-api: update vyos-http-api-tools for FastAPI security vulnerability as Resolved.Apr 27 2023, 2:02 PM
jestabro closed this task as Resolved.Apr 27 2023, 2:09 PM
jestabro moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.3) board.
dmbaturin mentioned this in 1.3.3.May 19 2023, 1:04 PM