fix(serve): --ui auth survives fastapi 0.137 (router match, fail closed); lift cap#444
Draft
soustruh wants to merge 2 commits into
Draft
fix(serve): --ui auth survives fastapi 0.137 (router match, fail closed); lift cap#444soustruh wants to merge 2 commits into
soustruh wants to merge 2 commits into
Conversation
The --ui auth predicate scanned app.routes as a flat list to decide which paths need auth. fastapi 0.137 nests included routers into a lazy tree (_IncludedRouter) instead of flattening, so the flat scan missed nested endpoints and served /doctor, /version, /changelog, /agents unauthenticated (GHSA-ffpq-prmh-3gx2). Ask the router's match protocol whether a GET resolves to a real endpoint instead -- the same resolution a real request uses, so it cannot miss a live endpoint. Fails closed: any error -> path treated as protected, never silently public.
…p 0.63.5 GHSA-ffpq-prmh-3gx2 was the reason for the temporary cap in 0.63.4; the router-match predicate fix lets fastapi go back to the latest release (0.137.2).
soustruh
force-pushed
the
fix/serve-ui-auth-fastapi-0137
branch
from
f29da23 to
3f5b957
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Follow-up to #443, which capped
fastapi<0.137because 0.137 reopenedGHSA-ffpq-prmh-3gx2. The
serve --uiauth predicate scannedapp.routesas a flatlist; fastapi 0.137 (fastapi/fastapi#15745)
made
include_routernest routers into a lazy tree (_IncludedRouter) instead offlattening them, so the flat scan missed nested endpoints and served
/doctor,/version,/changelog,/agentsunauthenticated. fastapi documents this asintentional (their release notes warn that code iterating
app.routesas a flat listis affected) -- so the fix is on our side.
What changed
server/app.py: the--uiauth predicate asks the router's match protocol whether aGET resolves to a real endpoint (skipping the SPA StaticFiles catch-all), instead of
scanning
app.routes.matches()is the same resolution a real request uses, so itcan't miss a live endpoint however fastapi structures routes. Also fails closed.
pyproject.toml: lift thefastapi<0.137cap (latest, 0.137.2, in the lock).Verification
test_serve_ui.py(incl. the 7 GHSA regression tests) green on fastapi 0.137.2; fullsuite (minus live-cred e2e) green on 0.137;
ruff+tyclean.Stacking
Based on
fix/typer-vendored-click(#443), not main. After #443 squash-merges:git rebase --onto main fix/typer-vendored-click <this-branch>and switch base to main(expect one intentional conflict on the fastapi pin / lock — the cap-lift itself).