diff --git a/.github/workflows/issue-manager.yml b/.github/workflows/issue-manager.yml
index 712930e0ba320..e2fb4f7a43e98 100644
--- a/.github/workflows/issue-manager.yml
+++ b/.github/workflows/issue-manager.yml
@@ -6,23 +6,25 @@ on:
issue_comment:
types:
- created
- - edited
issues:
types:
- labeled
+ pull_request_target:
+ types:
+ - labeled
+ workflow_dispatch:
jobs:
issue-manager:
runs-on: ubuntu-latest
steps:
- - uses: tiangolo/issue-manager@0.2.0
+ - uses: tiangolo/issue-manager@0.4.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
config: >
{
"answered": {
- "users": ["tiangolo", "dmontagu"],
"delay": 864000,
- "message": "Assuming the original issue was solved, it will be automatically closed now. But feel free to add more comments or create new issues."
+ "message": "Assuming the original need was handled, this will be automatically closed now. But feel free to add more comments or create new issues or PRs."
}
}
diff --git a/README.md b/README.md
index 19dba3ffc37b2..0fb7cc704f476 100644
--- a/README.md
+++ b/README.md
@@ -45,6 +45,7 @@ The key features are:
+
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000000..322f95f629ccf
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,31 @@
+# Security Policy
+
+Security is very important for FastAPI and its community. 🔒
+
+Learn more about it below. 👇
+
+## Versions
+
+The latest versions of FastAPI are supported.
+
+You are encouraged to [write tests](https://fastapi.tiangolo.com/tutorial/testing/) for your application and update your FastAPI version frequently after ensuring that your tests are passing. This way you will benefit from the latest features, bug fixes, and **security fixes**.
+
+You can learn more about [FastAPI versions and how to pin and upgrade them](https://fastapi.tiangolo.com/deployment/versions/) for your project in the docs.
+
+## Reporting a Vulnerability
+
+If you think you found a vulnerability, and even if you are not sure about it, please report it right away by sending an email to: security@tiangolo.com. Please try to be as explicit as possible, describing all the steps and example code to reproduce the security issue.
+
+I (the author, [@tiangolo](https://twitter.com/tiangolo)) will review it thoroughly and get back to you.
+
+## Public Discussions
+
+Please restrain from publicly discussing a potential security vulnerability. 🙊
+
+It's better to discuss privately and try to find a solution first, to limit the potential impact as much as possible.
+
+---
+
+Thanks for your help!
+
+The FastAPI community and I thank you for that. 🙇
diff --git a/docs/en/data/sponsors.yml b/docs/en/data/sponsors.yml
index 5f56d966737b1..49df39c99a3b4 100644
--- a/docs/en/data/sponsors.yml
+++ b/docs/en/data/sponsors.yml
@@ -2,6 +2,9 @@ gold:
- url: https://www.deta.sh/?ref=fastapi
title: The launchpad for all your (team's) ideas
img: https://fastapi.tiangolo.com/img/sponsors/deta.svg
+ - url: https://bit.ly/2QSouzH
+ title: "Jina: build neural search-as-a-service for any kind of data in just minutes."
+ img: https://fastapi.tiangolo.com/img/sponsors/jina.svg
silver:
- url: https://www.investsuite.com/jobs
title: Wealthtech jobs with FastAPI
diff --git a/docs/en/docs/css/custom.css b/docs/en/docs/css/custom.css
index 35ff9ef70e2da..9449f0a79c7c0 100644
--- a/docs/en/docs/css/custom.css
+++ b/docs/en/docs/css/custom.css
@@ -89,6 +89,11 @@ a.announce-link:hover {
z-index: 10;
}
+.announce-wrapper .sponsor-image {
+ display: block;
+ border-radius: 20px;
+}
+
.announce-wrapper>div {
min-height: 40px;
display: flex;
diff --git a/docs/en/docs/img/sponsors/fastapi-course-bundle-banner.svg b/docs/en/docs/img/sponsors/fastapi-course-bundle-banner.svg
new file mode 100644
index 0000000000000..5dd89b212a2e4
--- /dev/null
+++ b/docs/en/docs/img/sponsors/fastapi-course-bundle-banner.svg
@@ -0,0 +1,293 @@
+
+
diff --git a/docs/en/docs/img/sponsors/jina-banner.svg b/docs/en/docs/img/sponsors/jina-banner.svg
new file mode 100644
index 0000000000000..ebde273eedcb9
--- /dev/null
+++ b/docs/en/docs/img/sponsors/jina-banner.svg
@@ -0,0 +1,233 @@
+
+
diff --git a/docs/en/docs/img/sponsors/jina.svg b/docs/en/docs/img/sponsors/jina.svg
new file mode 100644
index 0000000000000..3dda4fe3cde13
--- /dev/null
+++ b/docs/en/docs/img/sponsors/jina.svg
@@ -0,0 +1,1981 @@
+
+
diff --git a/docs/en/docs/release-notes.md b/docs/en/docs/release-notes.md
index 25c8d03ca5d02..bd7e2b2705c55 100644
--- a/docs/en/docs/release-notes.md
+++ b/docs/en/docs/release-notes.md
@@ -3,6 +3,31 @@
## Latest Changes
+## 0.65.2
+
+### Security fixes
+
+* 🔒 Check Content-Type request header before assuming JSON. Initial PR [#2118](https://github.com/tiangolo/fastapi/pull/2118) by [@patrickkwang](https://github.com/patrickkwang).
+
+This change fixes a [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery) security vulnerability when using cookies for authentication in path operations with JSON payloads sent by browsers.
+
+In versions lower than `0.65.2`, FastAPI would try to read the request payload as JSON even if the `content-type` header sent was not set to `application/json` or a compatible JSON media type (e.g. `application/geo+json`).
+
+So, a request with a content type of `text/plain` containing JSON data would be accepted and the JSON data would be extracted.
+
+But requests with content type `text/plain` are exempt from [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) preflights, for being considered [Simple requests](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests). So, the browser would execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application.
+
+See [CVE-2021-32677](https://github.com/tiangolo/fastapi/security/advisories/GHSA-8h2j-cgx8-6xv7) for more details.
+
+Thanks to [Dima Boger](https://twitter.com/b0g3r) for the security report! 🙇🔒
+
+### Internal
+
+* 🔧 Update sponsors badge, course bundle. PR [#3340](https://github.com/tiangolo/fastapi/pull/3340) by [@tiangolo](https://github.com/tiangolo).
+* 🔧 Add new gold sponsor Jina 🎉. PR [#3291](https://github.com/tiangolo/fastapi/pull/3291) by [@tiangolo](https://github.com/tiangolo).
+* 🔧 Add new banner sponsor badge for FastAPI courses bundle. PR [#3288](https://github.com/tiangolo/fastapi/pull/3288) by [@tiangolo](https://github.com/tiangolo).
+* 👷 Upgrade Issue Manager GitHub Action. PR [#3236](https://github.com/tiangolo/fastapi/pull/3236) by [@tiangolo](https://github.com/tiangolo).
+
## 0.65.1
### Security fixes
diff --git a/docs/en/overrides/main.html b/docs/en/overrides/main.html
index 25e973b81b081..8e698bffda4a3 100644
--- a/docs/en/overrides/main.html
+++ b/docs/en/overrides/main.html
@@ -16,9 +16,21 @@
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000000..322f95f629ccf
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,31 @@
+# Security Policy
+
+Security is very important for FastAPI and its community. 🔒
+
+Learn more about it below. 👇
+
+## Versions
+
+The latest versions of FastAPI are supported.
+
+You are encouraged to [write tests](https://fastapi.tiangolo.com/tutorial/testing/) for your application and update your FastAPI version frequently after ensuring that your tests are passing. This way you will benefit from the latest features, bug fixes, and **security fixes**.
+
+You can learn more about [FastAPI versions and how to pin and upgrade them](https://fastapi.tiangolo.com/deployment/versions/) for your project in the docs.
+
+## Reporting a Vulnerability
+
+If you think you found a vulnerability, and even if you are not sure about it, please report it right away by sending an email to: security@tiangolo.com. Please try to be as explicit as possible, describing all the steps and example code to reproduce the security issue.
+
+I (the author, [@tiangolo](https://twitter.com/tiangolo)) will review it thoroughly and get back to you.
+
+## Public Discussions
+
+Please restrain from publicly discussing a potential security vulnerability. 🙊
+
+It's better to discuss privately and try to find a solution first, to limit the potential impact as much as possible.
+
+---
+
+Thanks for your help!
+
+The FastAPI community and I thank you for that. 🙇
diff --git a/docs/en/data/sponsors.yml b/docs/en/data/sponsors.yml
index 5f56d966737b1..49df39c99a3b4 100644
--- a/docs/en/data/sponsors.yml
+++ b/docs/en/data/sponsors.yml
@@ -2,6 +2,9 @@ gold:
- url: https://www.deta.sh/?ref=fastapi
title: The launchpad for all your (team's) ideas
img: https://fastapi.tiangolo.com/img/sponsors/deta.svg
+ - url: https://bit.ly/2QSouzH
+ title: "Jina: build neural search-as-a-service for any kind of data in just minutes."
+ img: https://fastapi.tiangolo.com/img/sponsors/jina.svg
silver:
- url: https://www.investsuite.com/jobs
title: Wealthtech jobs with FastAPI
diff --git a/docs/en/docs/css/custom.css b/docs/en/docs/css/custom.css
index 35ff9ef70e2da..9449f0a79c7c0 100644
--- a/docs/en/docs/css/custom.css
+++ b/docs/en/docs/css/custom.css
@@ -89,6 +89,11 @@ a.announce-link:hover {
z-index: 10;
}
+.announce-wrapper .sponsor-image {
+ display: block;
+ border-radius: 20px;
+}
+
.announce-wrapper>div {
min-height: 40px;
display: flex;
diff --git a/docs/en/docs/img/sponsors/fastapi-course-bundle-banner.svg b/docs/en/docs/img/sponsors/fastapi-course-bundle-banner.svg
new file mode 100644
index 0000000000000..5dd89b212a2e4
--- /dev/null
+++ b/docs/en/docs/img/sponsors/fastapi-course-bundle-banner.svg
@@ -0,0 +1,293 @@
+
+
diff --git a/docs/en/docs/img/sponsors/jina-banner.svg b/docs/en/docs/img/sponsors/jina-banner.svg
new file mode 100644
index 0000000000000..ebde273eedcb9
--- /dev/null
+++ b/docs/en/docs/img/sponsors/jina-banner.svg
@@ -0,0 +1,233 @@
+
+
diff --git a/docs/en/docs/img/sponsors/jina.svg b/docs/en/docs/img/sponsors/jina.svg
new file mode 100644
index 0000000000000..3dda4fe3cde13
--- /dev/null
+++ b/docs/en/docs/img/sponsors/jina.svg
@@ -0,0 +1,1981 @@
+
+
diff --git a/docs/en/docs/release-notes.md b/docs/en/docs/release-notes.md
index 25c8d03ca5d02..bd7e2b2705c55 100644
--- a/docs/en/docs/release-notes.md
+++ b/docs/en/docs/release-notes.md
@@ -3,6 +3,31 @@
## Latest Changes
+## 0.65.2
+
+### Security fixes
+
+* 🔒 Check Content-Type request header before assuming JSON. Initial PR [#2118](https://github.com/tiangolo/fastapi/pull/2118) by [@patrickkwang](https://github.com/patrickkwang).
+
+This change fixes a [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery) security vulnerability when using cookies for authentication in path operations with JSON payloads sent by browsers.
+
+In versions lower than `0.65.2`, FastAPI would try to read the request payload as JSON even if the `content-type` header sent was not set to `application/json` or a compatible JSON media type (e.g. `application/geo+json`).
+
+So, a request with a content type of `text/plain` containing JSON data would be accepted and the JSON data would be extracted.
+
+But requests with content type `text/plain` are exempt from [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) preflights, for being considered [Simple requests](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests). So, the browser would execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application.
+
+See [CVE-2021-32677](https://github.com/tiangolo/fastapi/security/advisories/GHSA-8h2j-cgx8-6xv7) for more details.
+
+Thanks to [Dima Boger](https://twitter.com/b0g3r) for the security report! 🙇🔒
+
+### Internal
+
+* 🔧 Update sponsors badge, course bundle. PR [#3340](https://github.com/tiangolo/fastapi/pull/3340) by [@tiangolo](https://github.com/tiangolo).
+* 🔧 Add new gold sponsor Jina 🎉. PR [#3291](https://github.com/tiangolo/fastapi/pull/3291) by [@tiangolo](https://github.com/tiangolo).
+* 🔧 Add new banner sponsor badge for FastAPI courses bundle. PR [#3288](https://github.com/tiangolo/fastapi/pull/3288) by [@tiangolo](https://github.com/tiangolo).
+* 👷 Upgrade Issue Manager GitHub Action. PR [#3236](https://github.com/tiangolo/fastapi/pull/3236) by [@tiangolo](https://github.com/tiangolo).
+
## 0.65.1
### Security fixes
diff --git a/docs/en/overrides/main.html b/docs/en/overrides/main.html
index 25e973b81b081..8e698bffda4a3 100644
--- a/docs/en/overrides/main.html
+++ b/docs/en/overrides/main.html
@@ -16,9 +16,21 @@
diff --git a/fastapi/__init__.py b/fastapi/__init__.py
index 80f61d9f44177..d04f2ea9605dd 100644
--- a/fastapi/__init__.py
+++ b/fastapi/__init__.py
@@ -1,6 +1,6 @@
"""FastAPI framework, high performance, easy to learn, fast to code, ready for production"""
-__version__ = "0.65.1"
+__version__ = "0.65.2"
from starlette import status as status
diff --git a/fastapi/routing.py b/fastapi/routing.py
index ac5e19d99835a..9b51f03cac562 100644
--- a/fastapi/routing.py
+++ b/fastapi/routing.py
@@ -1,4 +1,5 @@
import asyncio
+import email.message
import enum
import inspect
import json
@@ -36,7 +37,7 @@
)
from pydantic import BaseModel
from pydantic.error_wrappers import ErrorWrapper, ValidationError
-from pydantic.fields import ModelField
+from pydantic.fields import ModelField, Undefined
from starlette import routing
from starlette.concurrency import run_in_threadpool
from starlette.exceptions import HTTPException
@@ -174,14 +175,26 @@ def get_request_handler(
async def app(request: Request) -> Response:
try:
- body = None
+ body: Any = None
if body_field:
if is_body_form:
body = await request.form()
else:
body_bytes = await request.body()
if body_bytes:
- body = await request.json()
+ json_body: Any = Undefined
+ content_type_value = request.headers.get("content-type")
+ if content_type_value:
+ message = email.message.Message()
+ message["content-type"] = content_type_value
+ if message.get_content_maintype() == "application":
+ subtype = message.get_content_subtype()
+ if subtype == "json" or subtype.endswith("+json"):
+ json_body = await request.json()
+ if json_body != Undefined:
+ body = json_body
+ else:
+ body = body_bytes
except json.JSONDecodeError as e:
raise RequestValidationError([ErrorWrapper(e, ("body", e.pos))], body=e.doc)
except Exception as e:
diff --git a/tests/test_tutorial/test_body/test_tutorial001.py b/tests/test_tutorial/test_body/test_tutorial001.py
index 38c6dbe876b26..c90240ae4c349 100644
--- a/tests/test_tutorial/test_body/test_tutorial001.py
+++ b/tests/test_tutorial/test_body/test_tutorial001.py
@@ -173,25 +173,91 @@ def test_post_body(path, body, expected_status, expected_response):
def test_post_broken_body():
- response = client.post("/items/", data={"name": "Foo", "price": 50.5})
+ response = client.post(
+ "/items/",
+ headers={"content-type": "application/json"},
+ data="{some broken json}",
+ )
assert response.status_code == 422, response.text
assert response.json() == {
"detail": [
{
+ "loc": ["body", 1],
+ "msg": "Expecting property name enclosed in double quotes: line 1 column 2 (char 1)",
+ "type": "value_error.jsondecode",
"ctx": {
- "colno": 1,
- "doc": "name=Foo&price=50.5",
+ "msg": "Expecting property name enclosed in double quotes",
+ "doc": "{some broken json}",
+ "pos": 1,
"lineno": 1,
- "msg": "Expecting value",
- "pos": 0,
+ "colno": 2,
},
- "loc": ["body", 0],
- "msg": "Expecting value: line 1 column 1 (char 0)",
- "type": "value_error.jsondecode",
}
]
}
+
+
+def test_post_form_for_json():
+ response = client.post("/items/", data={"name": "Foo", "price": 50.5})
+ assert response.status_code == 422, response.text
+ assert response.json() == {
+ "detail": [
+ {
+ "loc": ["body"],
+ "msg": "value is not a valid dict",
+ "type": "type_error.dict",
+ }
+ ]
+ }
+
+
+def test_explicit_content_type():
+ response = client.post(
+ "/items/",
+ data='{"name": "Foo", "price": 50.5}',
+ headers={"Content-Type": "application/json"},
+ )
+ assert response.status_code == 200, response.text
+
+
+def test_geo_json():
+ response = client.post(
+ "/items/",
+ data='{"name": "Foo", "price": 50.5}',
+ headers={"Content-Type": "application/geo+json"},
+ )
+ assert response.status_code == 200, response.text
+
+
+def test_wrong_headers():
+ data = '{"name": "Foo", "price": 50.5}'
+ invalid_dict = {
+ "detail": [
+ {
+ "loc": ["body"],
+ "msg": "value is not a valid dict",
+ "type": "type_error.dict",
+ }
+ ]
+ }
+
+ response = client.post("/items/", data=data, headers={"Content-Type": "text/plain"})
+ assert response.status_code == 422, response.text
+ assert response.json() == invalid_dict
+
+ response = client.post(
+ "/items/", data=data, headers={"Content-Type": "application/geo+json-seq"}
+ )
+ assert response.status_code == 422, response.text
+ assert response.json() == invalid_dict
+ response = client.post(
+ "/items/", data=data, headers={"Content-Type": "application/not-really-json"}
+ )
+ assert response.status_code == 422, response.text
+ assert response.json() == invalid_dict
+
+
+def test_other_exceptions():
with patch("json.loads", side_effect=Exception):
response = client.post("/items/", json={"test": "test2"})
assert response.status_code == 400, response.text
- assert response.json() == {"detail": "There was an error parsing the body"}
diff --git a/tests/test_tutorial/test_custom_request_and_route/test_tutorial001.py b/tests/test_tutorial/test_custom_request_and_route/test_tutorial001.py
index cc85a8a82a5ac..3eb5822e28816 100644
--- a/tests/test_tutorial/test_custom_request_and_route/test_tutorial001.py
+++ b/tests/test_tutorial/test_custom_request_and_route/test_tutorial001.py
@@ -25,6 +25,7 @@ def test_gzip_request(compress):
if compress:
data = gzip.compress(data)
headers["Content-Encoding"] = "gzip"
+ headers["Content-Type"] = "application/json"
response = client.post("/sum", data=data, headers=headers)
assert response.json() == {"sum": n}
+ 
+ 