kubernetes-engine-samples
kubernetes-engine-samples copied to clipboard
Published
20 hours ago •
GoogleCloudPlatform
GoogleCloudPlatform
chore(deps): update dependency fastapi to v0.109.1 [security]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| fastapi | ==0.88.0 -> ==0.109.1 |
[!WARNING] Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2024-24762
Summary
When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header, including options.
An attacker could send a custom-made Content-Type option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.
This can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
This only applies when the app uses form data, parsed with python-multipart.
Details
A regular HTTP Content-Type header could look like:
Content-Type: text/html; charset=utf-8
python-multipart parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74
A custom option could be made and sent to the server to break it with:
Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
PoC
Create a simple WSGI application, that just parses the Content-Type, and run it with python main.py:
# main.py
from wsgiref.simple_server import make_server
from wsgiref.validate import validator
from multipart.multipart import parse_options_header
def simple_app(environ, start_response):
_, _ = parse_options_header(environ["CONTENT_TYPE"])
start_response("200 OK", [("Content-type", "text/plain")])
return [b"Ok"]
httpd = make_server("", 8123, validator(simple_app))
print("Serving on port 8123...")
httpd.serve_forever()
Then send the attacking request with:
$ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8123/'
Impact
It's a ReDoS, (Regular expression Denial of Service), it only applies to those reading form data. This way it also affects other libraries using Starlette, like FastAPI.
Original Report
This was originally reported to FastAPI as an email to [email protected], sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r
Original report to FastAPI
Hey Tiangolo!
My name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).
Here are the details: I'm using the latest version of FastAPI (0.109.0) and the following code:
from typing import Annotated
from fastapi.responses import HTMLResponse
from fastapi import FastAPI,Form
from pydantic import BaseModel
class Item(BaseModel):
username: str
app = FastAPI()
@​app.get("/", response_class=HTMLResponse)
async def index():
return HTMLResponse("Test", status_code=200)
@​app.post("/submit/")
async def submit(username: Annotated[str, Form()]):
return {"username": username}
@​app.post("/submit_json/")
async def submit_json(item: Item):
return {"username": item.username}
I'm running the above with uvicorn with the following command:
uvicorn server:app
Then run the following cUrl command:
curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'
You'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%
You can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server.
If you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.
Cheers
Impact
An attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.
Occurrences
Release Notes
tiangolo/fastapi (fastapi)
v0.109.1
Security fixes
- ⬆️ Upgrade minimum version of
python-multipartto>=0.0.7to fix a vulnerability when using form data with a ReDos attack. You can also simply upgradepython-multipart.
Read more in the advisory: Content-Type Header ReDoS.
Features
- ✨ Include HTTP 205 in status codes with no body. PR #10969 by @tiangolo.
Refactors
- ✅ Refactor tests for duplicate operation ID generation for compatibility with other tools running the FastAPI test suite. PR #10876 by @emmettbutler.
- ♻️ Simplify string format with f-strings in
fastapi/utils.py. PR #10576 by @eukub. - 🔧 Fix Ruff configuration unintentionally enabling and re-disabling mccabe complexity check. PR #10893 by @jiridanek.
- ✅ Re-enable test in
tests/test_tutorial/test_header_params/test_tutorial003.pyafter fix in Starlette. PR #10904 by @ooknimm.
Docs
- 📝 Tweak wording in
help-fastapi.md. PR #11040 by @tiangolo. - 📝 Tweak docs for Behind a Proxy. PR #11038 by @tiangolo.
- 📝 Add External Link: 10 Tips for adding SQLAlchemy to FastAPI. PR #11036 by @Donnype.
- 📝 Add External Link: Tips on migrating from Flask to FastAPI and vice-versa. PR #11029 by @jtemporal.
- 📝 Deprecate old tutorials: Peewee, Couchbase, encode/databases. PR #10979 by @tiangolo.
- ✏️ Fix typo in
fastapi/security/oauth2.py. PR #10972 by @RafalSkolasinski. - 📝 Update
HTTPExceptiondetails indocs/en/docs/tutorial/handling-errors.md. PR #5418 by @papb. - ✏️ A few tweaks in
docs/de/docs/tutorial/first-steps.md. PR #10959 by @nilslindemann. - ✏️ Fix link in
docs/en/docs/advanced/async-tests.md. PR #10960 by @nilslindemann. - ✏️ Fix typos for Spanish documentation. PR #10957 by @jlopezlira.
- 📝 Add warning about lifespan functions and backwards compatibility with events. PR #10734 by @jacob-indigo.
- ✏️ Fix broken link in
docs/tutorial/sql-databases.mdin several languages. PR #10716 by @theoohoho. - ✏️ Remove broken links from
external_links.yml. PR #10943 by @Torabek. - 📝 Update template docs with more info about
url_for. PR #5937 by @EzzEddin. - 📝 Update usage of Token model in security docs. PR #9313 by @piotrszacilowski.
- ✏️ Update highlighted line in
docs/en/docs/tutorial/bigger-applications.md. PR #5490 by @papb. - 📝 Add External Link: Explore How to Effectively Use JWT With FastAPI. PR #10212 by @aanchlia.
- 📝 Add hyperlink to
docs/en/docs/tutorial/static-files.md. PR #10243 by @hungtsetse. - 📝 Add External Link: Instrument a FastAPI service adding tracing with OpenTelemetry and send/show traces in Grafana Tempo. PR #9440 by @softwarebloat.
- 📝 Review and rewording of
en/docs/contributing.md. PR #10480 by @nilslindemann. - 📝 Add External Link: ML serving and monitoring with FastAPI and Evidently. PR #9701 by @mnrozhkov.
- 📝 Reword in docs, from "have in mind" to "keep in mind". PR #10376 by @malicious.
- 📝 Add External Link: Talk by Jeny Sadadia. PR #10265 by @JenySadadia.
- 📝 Add location info to
tutorial/bigger-applications.md. PR #10552 by @nilslindemann. - ✏️ Fix Pydantic method name in
docs/en/docs/advanced/path-operation-advanced-configuration.md. PR #10826 by @ahmedabdou14.
Translations
- 🌐 Add Spanish translation for
docs/es/docs/external-links.md. PR #10933 by @pablocm83. - 🌐 Update Korean translation for
docs/ko/docs/tutorial/first-steps.md,docs/ko/docs/tutorial/index.md,docs/ko/docs/tutorial/path-params.md, anddocs/ko/docs/tutorial/query-params.md. PR #4218 by @SnowSuno. - 🌐 Add Chinese translation for
docs/zh/docs/tutorial/dependencies/dependencies-with-yield.md. PR #10870 by @zhiquanchi. - 🌐 Add Chinese translation for
docs/zh/docs/deployment/concepts.md. PR #10282 by @xzmeng. - 🌐 Add Azerbaijani translation for
docs/az/docs/index.md. PR #11047 by @aykhans. - 🌐 Add Korean translation for
docs/ko/docs/tutorial/middleware.md. PR #2829 by @JeongHyeongKim. - 🌐 Add German translation for
docs/de/docs/tutorial/body-nested-models.md. PR #10313 by @nilslindemann. - 🌐 Add Persian translation for
docs/fa/docs/tutorial/middleware.md. PR #9695 by @mojtabapaso. - 🌐 Update Farsi translation for
docs/fa/docs/index.md. PR #10216 by @theonlykingpin. - 🌐 Add German translation for
docs/de/docs/tutorial/body-fields.md. PR #10310 by @nilslindemann. - 🌐 Add German translation for
docs/de/docs/tutorial/body.md. PR #10295 by @nilslindemann. - 🌐 Add German translation for
docs/de/docs/tutorial/body-multiple-params.md. PR #10308 by @nilslindemann. - 🌐 Add Japanese translation for
docs/ja/docs/tutorial/security/get-current-user.md. PR #2681 by @sh0nk. - 🌐 Add Chinese translation for
docs/zh/docs/advanced/advanced-dependencies.md. PR #3798 by @jaystone776. - 🌐 Add Chinese translation for
docs/zh/docs/advanced/events.md. PR #3815 by @jaystone776. - 🌐 Add Chinese translation for
docs/zh/docs/advanced/behind-a-proxy.md. PR #3820 by @jaystone776. - 🌐 Add Chinese translation for
docs/zh/docs/advanced/testing-events.md. PR #3818 by @jaystone776. - 🌐 Add Chinese translation for
docs/zh/docs/advanced/testing-websockets.md. PR #3817 by @jaystone776. - 🌐 Add Chinese translation for
docs/zh/docs/advanced/testing-database.md. PR #3821 by @jaystone776. - 🌐 Add Chinese translation for
docs/zh/docs/deployment/deta.md. PR #3837 by @jaystone776. - 🌐 Add Chinese translation for
docs/zh/docs/history-design-future.md. PR #3832 by @jaystone776. - 🌐 Add Chinese translation for
docs/zh/docs/project-generation.md. PR #3831 by @jaystone776. - 🌐 Add Chinese translation for
docs/zh/docs/deployment/docker.md. PR #10296 by @xzmeng. - 🌐 Update Spanish translation for
docs/es/docs/features.md. PR #10884 by @pablocm83. - 🌐 Add Spanish translation for
docs/es/docs/newsletter.md. PR #10922 by @pablocm83. - 🌐 Add Korean translation for
docs/ko/docs/tutorial/background-tasks.md. PR #5910 by @junah201. - :globe_with_meridians: Add Turkish translation for
docs/tr/docs/alternatives.md. PR #10502 by @alperiox. - 🌐 Add Korean translation for
docs/ko/docs/tutorial/dependencies/index.md. PR #10989 by @KaniKim. - 🌐 Add Korean translation for
/docs/ko/docs/tutorial/body.md. PR #11000 by @KaniKim. - 🌐 Add Portuguese translation for
docs/pt/docs/tutorial/schema-extra-example.md. PR #4065 by @luccasmmg. - 🌐 Add Turkish translation for
docs/tr/docs/history-design-future.md. PR #11012 by @hasansezertasan. - 🌐 Add Turkish translation for
docs/tr/docs/resources/index.md. PR #11020 by @hasansezertasan. - 🌐 Add Turkish translation for
docs/tr/docs/how-to/index.md. PR #11021 by @hasansezertasan. - 🌐 Add German translation for
docs/de/docs/tutorial/query-params.md. PR #10293 by @nilslindemann. - 🌐 Add German translation for
docs/de/docs/benchmarks.md. PR #10866 by @nilslindemann. - 🌐 Add Turkish translation for
docs/tr/docs/learn/index.md. PR #11014 by @hasansezertasan. - 🌐 Add Persian translation for
docs/fa/docs/tutorial/security/index.md. PR #9945 by @mojtabapaso. - 🌐 Add Turkish translation for
docs/tr/docs/help/index.md. PR #11013 by @hasansezertasan. - 🌐 Add Turkish translation for
docs/tr/docs/about/index.md. PR #11006 by @hasansezertasan. - 🌐 Update Turkish translation for
docs/tr/docs/benchmarks.md. PR #11005 by @hasansezertasan. - 🌐 Add Italian translation for
docs/it/docs/index.md. PR #5233 by @matteospanio. - 🌐 Add Korean translation for
docs/ko/docs/help/index.md. PR #10983 by @KaniKim. - 🌐 Add Korean translation for
docs/ko/docs/features.md. PR #10976 by @KaniKim. - 🌐 Add Korean translation for
docs/ko/docs/tutorial/security/get-current-user.md. PR #5737 by @KdHyeon0661. - 🌐 Add Russian translation for
docs/ru/docs/tutorial/security/first-steps.md. PR #10541 by @AlertRED. - 🌐 Add Russian translation for
docs/ru/docs/tutorial/handling-errors.md. PR #10375 by @AlertRED. - 🌐 Add Russian translation for
docs/ru/docs/tutorial/encoder.md. PR #10374 by @AlertRED. - 🌐 Add Russian translation for
docs/ru/docs/tutorial/body-updates.md. PR #10373 by @AlertRED. - 🌐 Russian translation: updated
fastapi-people.md.. PR #10255 by @NiKuma0. - 🌐 Add Japanese translation for
docs/ja/docs/tutorial/security/index.md. PR #5798 by @3w36zj6. - 🌐 Add German translation for
docs/de/docs/advanced/generate-clients.md. PR #10725 by @nilslindemann. - 🌐 Add German translation for
docs/de/docs/advanced/openapi-webhooks.md. PR #10712 by @nilslindemann. - 🌐 Add German translation for
docs/de/docs/advanced/custom-response.md. PR #10624 by @nilslindemann. - 🌐 Add German translation for
docs/de/docs/advanced/additional-status-codes.md. PR #10617 by @nilslindemann. - 🌐 Add German translation for
docs/de/docs/tutorial/middleware.md. PR #10391 by @JohannesJungbluth. - 🌐 Add German translation for introduction documents. PR #10497 by @nilslindemann.
- 🌐 Add Japanese translation for
docs/ja/docs/tutorial/encoder.md. PR #1955 by @SwftAlpc. - 🌐 Add Japanese translation for
docs/ja/docs/tutorial/extra-data-types.md. PR #1932 by @SwftAlpc. - 🌐 Add Turkish translation for
docs/tr/docs/async.md. PR #5191 by @BilalAlpaslan. - 🌐 Add Turkish translation for
docs/tr/docs/project-generation.md. PR #5192 by @BilalAlpaslan. - 🌐 Add Korean translation for
docs/ko/docs/deployment/docker.md. PR #5657 by @nearnear. - 🌐 Add Korean translation for
docs/ko/docs/deployment/server-workers.md. PR #4935 by @jujumilk3. - 🌐 Add Korean translation for
docs/ko/docs/deployment/index.md. PR #4561 by @jujumilk3. - 🌐 Add Korean translation for
docs/ko/docs/tutorial/path-operation-configuration.md. PR #3639 by @jungsu-kwon. - 🌐 Modify the description of
zh- Traditional Chinese. PR #10889 by @cherinyy. - 🌐 Add Korean translation for
docs/ko/docs/tutorial/static-files.md. PR #2957 by @jeesang7. - 🌐 Add Korean translation for
docs/ko/docs/tutorial/response-model.md. PR #2766 by @hard-coders. - 🌐 Add Korean translation for
docs/ko/docs/tutorial/body-multiple-params.md. PR #2461 by @PandaHun. - 🌐 Add Korean translation for
docs/ko/docs/tutorial/query-params-str-validations.md. PR #2415 by @hard-coders. - 🌐 Add Korean translation for
docs/ko/docs/python-types.md. PR #2267 by @jrim. - 🌐 Add Korean translation for
docs/ko/docs/tutorial/body-nested-models.md. PR #2506 by @hard-coders. - 🌐 Add Korean translation for
docs/ko/docs/learn/index.md. PR #10977 by @KaniKim. - 🌐 Initialize translations for Traditional Chinese. PR #10505 by @hsuanchi.
- ✏️ Tweak the german translation of
docs/de/docs/tutorial/index.md. PR #10962 by @nilslindemann. - ✏️ Fix typo error in
docs/ko/docs/tutorial/path-params.md. PR #10758 by @2chanhaeng. - 🌐 Add Japanese translation for
docs/ja/docs/tutorial/dependencies/dependencies-with-yield.md. PR #1961 by @SwftAlpc. - 🌐 Add Japanese translation for
docs/ja/docs/tutorial/dependencies/dependencies-in-path-operation-decorators.md. PR #1960 by @SwftAlpc. - 🌐 Add Japanese translation for
docs/ja/docs/tutorial/dependencies/sub-dependencies.md. PR #1959 by @SwftAlpc. - 🌐 Add Japanese translation for
docs/ja/docs/tutorial/background-tasks.md. PR #2668 by @tokusumi. - 🌐 Add Japanese translation for
docs/ja/docs/tutorial/dependencies/index.mdanddocs/ja/docs/tutorial/dependencies/classes-as-dependencies.md. PR #1958 by @SwftAlpc. - 🌐 Add Japanese translation for
docs/ja/docs/tutorial/response-model.md. PR #1938 by @SwftAlpc. - 🌐 Add Japanese translation for
docs/ja/docs/tutorial/body-multiple-params.md. PR #1903 by @SwftAlpc. - 🌐 Add Japanese translation for
docs/ja/docs/tutorial/path-params-numeric-validations.md. PR #1902 by @SwftAlpc. - 🌐 Add Japanese translation for
docs/ja/docs/python-types.md. PR #1899 by @SwftAlpc. - 🌐 Add Japanese translation for
docs/ja/docs/tutorial/handling-errors.md. PR #1953 by @SwftAlpc. - 🌐 Add Japanese translation for
docs/ja/docs/tutorial/response-status-code.md. PR #1942 by @SwftAlpc. - 🌐 Add Japanese translation for
docs/ja/docs/tutorial/extra-models.md. PR #1941 by @SwftAlpc. - 🌐 Add Japanese tranlsation for
docs/ja/docs/tutorial/schema-extra-example.md. PR #1931 by @SwftAlpc. - 🌐 Add Japanese translation for
docs/ja/docs/tutorial/body-nested-models.md. PR #1930 by @SwftAlpc. - 🌐 Add Japanese translation for
docs/ja/docs/tutorial/body-fields.md. PR #1923 by @SwftAlpc. - 🌐 Add German translation for
docs/de/docs/tutorial/index.md. PR #9502 by @fhabers21. - 🌐 Add German translation for
docs/de/docs/tutorial/background-tasks.md. PR #10566 by @nilslindemann. - ✏️ Fix typo in
docs/ru/docs/index.md. PR #10672 by @Delitel-WEB. - ✏️ Fix typos in
docs/zh/docs/tutorial/extra-data-types.md. PR #10727 by @HiemalBeryl. - 🌐 Add Russian translation for
docs/ru/docs/tutorial/dependencies/classes-as-dependencies.md. PR #10410 by @AlertRED.
Internal
- 👥 Update FastAPI People. PR #11074 by @tiangolo.
- 🔧 Update sponsors: add Coherence. PR #11066 by @tiangolo.
- 👷 Upgrade GitHub Action issue-manager. PR #11056 by @tiangolo.
- 🍱 Update sponsors: TalkPython badge. PR #11052 by @tiangolo.
- 🔧 Update sponsors: TalkPython badge image. PR #11048 by @tiangolo.
- 🔧 Update sponsors, remove Deta. PR #11041 by @tiangolo.
- 💄 Fix CSS breaking RTL languages (erroneously introduced by a previous RTL PR). PR #11039 by @tiangolo.
- 🔧 Add Italian to
mkdocs.yml. PR #11016 by @alejsdev. - 🔨 Verify
mkdocs.ymllanguages in CI, updatedocs.py. PR #11009 by @tiangolo. - 🔧 Update config in
label-approved.ymlto accept translations with 1 reviewer. PR #11007 by @alejsdev. - 👷 Add changes-requested handling in GitHub Action issue manager. PR #10971 by @tiangolo.
- 🔧 Group dependencies on dependabot updates. PR #10952 by @Kludex.
- ⬆ Bump actions/setup-python from 4 to 5. PR #10764 by @dependabot[bot].
- ⬆ Bump pypa/gh-action-pypi-publish from 1.8.10 to 1.8.11. PR #10731 by @dependabot[bot].
- ⬆ Bump dawidd6/action-download-artifact from 2.28.0 to 3.0.0. PR #10777 by @dependabot[bot].
- 🔧 Add support for translations to languages with a longer code name, like
zh-hant. PR #10950 by @tiangolo.
v0.109.0
Features
Upgrades
- ⬆️ Upgrade Starlette to >=0.35.0,<0.36.0. PR #10938 by @tiangolo.
Docs
- ✏️ Fix typo in
docs/en/docs/alternatives.md. PR #10931 by @s111d. - 📝 Replace
emailwithusernameindocs_src/security/tutorial007code examples. PR #10649 by @nilslindemann. - 📝 Add VS Code tutorial link. PR #10592 by @nilslindemann.
- 📝 Add notes about Pydantic v2's new
.model_dump(). PR #10929 by @tiangolo. - 📝 Fix broken link in
docs/en/docs/tutorial/sql-databases.md. PR #10765 by @HurSungYun. - 📝 Add External Link: FastAPI application monitoring made easy. PR #10917 by @tiangolo.
- ✨ Generate automatic language names for docs translations. PR #5354 by @jakul.
- ✏️ Fix typos in
docs/en/docs/alternatives.mdanddocs/en/docs/tutorial/dependencies/index.md. PR #10906 by @s111d. - ✏️ Fix typos in
docs/en/docs/tutorial/dependencies/dependencies-with-yield.md. PR #10834 by @Molkree. - 📝 Add article: "Building a RESTful API with FastAPI: Secure Signup and Login Functionality Included". PR #9733 by @dxphilo.
- 📝 Add warning about lifecycle events with
AsyncClient. PR #4167 by @andrew-chang-dewitt. - ✏️ Fix typos in
/docs/reference/exceptions.mdand/en/docs/reference/status.md. PR #10809 by @clarencepenz. - ✏️ Fix typo in
openapi-callbacks.md. PR #10673 by @kayjan. - ✏️ Fix typo in
fastapi/routing.py. PR #10520 by @sepsh. - 📝 Replace HTTP code returned in case of existing user error in docs for testing. PR #4482 by @TristanMarion.
- 📝 Add blog for FastAPI & Supabase. PR #6018 by @theinfosecguy.
- 📝 Update example source files for SQL databases with SQLAlchemy. PR #9508 by @s-mustafa.
- 📝 Update code examples in docs for body, replace name
create_itemwithupdate_itemwhen appropriate. PR #5913 by @OttoAndrey. - ✏️ Fix typo in dependencies with yield source examples. PR #10847 by @tiangolo.
Translations
- 🌐 Add Bengali translation for
docs/bn/docs/index.md. PR #9177 by @Fahad-Md-Kamal. - ✏️ Update Python version in
index.mdin several languages. PR #10711 by @tamago3keran. - 🌐 Add Russian translation for
docs/ru/docs/tutorial/request-forms-and-files.md. PR #10347 by @AlertRED. - 🌐 Add Ukrainian translation for
docs/uk/docs/index.md. PR #10362 by @rostik1410. - ✏️ Update Python version in
docs/ko/docs/index.md. PR #10680 by @Eeap. - 🌐 Add Persian translation for
docs/fa/docs/features.md. PR #5887 by @amirilf. - 🌐 Add Chinese translation for
docs/zh/docs/advanced/additional-responses.md. PR #10325 by @ShuibeiC. - 🌐 Fix typos in Russian translations for
docs/ru/docs/tutorial/background-tasks.md,docs/ru/docs/tutorial/body-nested-models.md,docs/ru/docs/tutorial/debugging.md,docs/ru/docs/tutorial/testing.md. PR #10311 by @AlertRED. - 🌐 Add Russian translation for
docs/ru/docs/tutorial/request-files.md. PR #10332 by @AlertRED. - 🌐 Add Chinese translation for
docs/zh/docs/deployment/server-workers.md. PR #10292 by @xzmeng. - 🌐 Add Chinese translation for
docs/zh/docs/deployment/cloud.md. PR #10291 by @xzmeng. - 🌐 Add Chinese translation for
docs/zh/docs/deployment/manually.md. PR #10279 by @xzmeng. - 🌐 Add Chinese translation for
docs/zh/docs/deployment/https.md. PR #10277 by @xzmeng. - 🌐 Add Chinese translation for
docs/zh/docs/deployment/index.md. PR #10275 by @xzmeng. - 🌐 Add German translation for
docs/de/docs/tutorial/first-steps.md. PR #9530 by @fhabers21. - 🌐 Update Turkish translation for
docs/tr/docs/index.md. PR #10444 by @hasansezertasan. - 🌐 Add Chinese translation for
docs/zh/docs/learn/index.md. PR #10479 by @KAZAMA-DREAM. - 🌐 Add Russian translation for
docs/ru/docs/learn/index.md. PR #10539 by @AlertRED. - 🌐 Update SQLAlchemy instruction in Chinese translation
docs/zh/docs/tutorial/sql-databases.md. PR #9712 by @Royc30ne. - 🌐 Add Turkish translation for
docs/tr/docs/external-links.md. PR #10549 by @hasansezertasan. - 🌐 Add Spanish translation for
docs/es/docs/learn/index.md. PR #10885 by @pablocm83. - 🌐 Add Ukrainian translation for
docs/uk/docs/tutorial/body-fields.md. PR #10670 by @ArtemKhymenko. - 🌐 Add Hungarian translation for
/docs/hu/docs/index.md. PR #10812 by @takacs. - 🌐 Add Turkish translation for
docs/tr/docs/newsletter.md. PR #10550 by @hasansezertasan. - 🌐 Add Spanish translation for
docs/es/docs/help/index.md. PR #10907 by @pablocm83. - 🌐 Add Spanish translation for
docs/es/docs/about/index.md. PR #10908 by @pablocm83. - 🌐 Add Spanish translation for
docs/es/docs/resources/index.md. PR #10909 by @pablocm83.
Internal
- 👥 Update FastAPI People. PR #10871 by @tiangolo.
- 👷 Upgrade custom GitHub Action comment-docs-preview-in-pr. PR #10916 by @tiangolo.
- ⬆️ Upgrade GitHub Action latest-changes. PR #10915 by @tiangolo.
- 👷 Upgrade GitHub Action label-approved. PR #10913 by @tiangolo.
- ⬆️ Upgrade GitHub Action label-approved. PR #10905 by @tiangolo.
v0.108.0
Upgrades
- ⬆️ Upgrade Starlette to
>=0.29.0,<0.33.0, update docs and usage of templates with new Starlette arguments. PR #10846 by @tiangolo.
v0.107.0
Upgrades
- ⬆️ Upgrade Starlette to 0.28.0. PR #9636 by @adriangb.
Docs
- 📝 Add docs: Node.js script alternative to update OpenAPI for generated clients. PR #10845 by @alejsdev.
- 📝 Restructure Docs section in Contributing page. PR #10844 by @alejsdev.
v0.106.0
Breaking Changes
Using resources from dependencies with yield in background tasks is no longer supported.
This change is what supports the new features, read below. 🤓
Dependencies with yield, HTTPException and Background Tasks
Dependencies with yield now can raise HTTPException and other exceptions after yield. 🎉
Read the new docs here: Dependencies with yield and HTTPException.
from fastapi import Depends, FastAPI, HTTPException
from typing_extensions import Annotated
app = FastAPI()
data = {
"plumbus": {"description": "Freshly pickled plumbus", "owner": "Morty"},
"portal-gun": {"description": "Gun to create portals", "owner": "Rick"},
}
class OwnerError(Exception):
pass
def get_username():
try:
yield "Rick"
except OwnerError as e:
raise HTTPException(status_code=400, detail=f"Onwer error: {e}")
@​app.get("/items/{item_id}")
def get_item(item_id: str, username: Annotated[str, Depends(get_username)]):
if item_id not in data:
raise HTTPException(status_code=404, detail="Item not found")
item = data[item_id]
if item["owner"] != username:
raise OwnerError(username)
return item
Before FastAPI 0.106.0, raising exceptions after yield was not possible, the exit code in dependencies with yield was executed after the response was sent, so Exception Handlers would have already run.
This was designed this way mainly to allow using the same objects "yielded" by dependencies inside of background tasks, because the exit code would be executed after the background tasks were finished.
Nevertheless, as this would mean waiting for the response to travel through the network while unnecessarily holding a resource in a dependency with yield (for example a database connection), this was changed in FastAPI 0.106.0.
Additionally, a background task is normally an independent set of logic that should be handled separately, with its own resources (e.g. its own database connection).
If you used to rely on this behavior, now you should create the resources for background tasks inside the background task itself, and use internally only data that doesn't depend on the resources of dependencies with yield.
For example, instead of using the same database session, you would create a new database session inside of the background task, and you would obtain the objects from the database using this new session. And then instead of passing the object from the database as a parameter to the background task function, you would pass the ID of that object and then obtain the object again inside the background task function.
The sequence of execution before FastAPI 0.106.0 was like the diagram in the Release Notes for FastAPI 0.106.0.
The new execution flow can be found in the docs: Execution of dependencies with yield.
v0.105.0
Features
- ✨ Add support for multiple Annotated annotations, e.g.
Annotated[str, Field(), Query()]. PR #10773 by @tiangolo.
Refactors
- 🔥 Remove unused NoneType. PR #10774 by @tiangolo.
Docs
- 📝 Tweak default suggested configs for generating clients. PR #10736 by @tiangolo.
Internal
- 🔧 Update sponsors, add Scalar. PR #10728 by @tiangolo.
- 🔧 Update sponsors, add PropelAuth. PR #10760 by @tiangolo.
- 👷 Update build docs, verify README on CI. PR #10750 by @tiangolo.
- 🔧 Update sponsors, remove Fern. PR #10729 by @tiangolo.
- 🔧 Update sponsors, add Codacy. PR #10677 by @tiangolo.
- 🔧 Update sponsors, add Reflex. PR #10676 by @tiangolo.
- 📝 Update release notes, move and check latest-changes. PR #10588 by @tiangolo.
- 👷 Upgrade latest-changes GitHub Action. PR #10587 by @tiangolo.
v0.104.1
Fixes
- 📌 Pin Swagger UI version to 5.9.0 temporarily to handle a bug crashing it in 5.9.1. PR #10529 by @alejandraklachquin.
- This is not really a bug in FastAPI but in Swagger UI, nevertheless pinning the version will work while a solution is found on the Swagger UI side.
Docs
- 📝 Update data structure and render for external-links. PR #10495 by @tiangolo.
- ✏️ Fix link to SPDX license identifier in
docs/en/docs/tutorial/metadata.md. PR #10433 by @worldworm. - 📝 Update example validation error from Pydantic v1 to match Pydantic v2 in
docs/en/docs/tutorial/path-params.md. PR #10043 by @giuliowaitforitdavide. - ✏️ Fix typos in emoji docs and in some source examples. PR #10438 by @afuetterer.
- ✏️ Fix typo in
docs/en/docs/reference/dependencies.md. PR #10465 by @suravshresth. - ✏️ Fix typos and rewordings in
docs/en/docs/tutorial/body-nested-models.md. PR #10468 by @yogabonito. - 📝 Update docs, remove references to removed
pydantic.Requiredindocs/en/docs/tutorial/query-params-str-validations.md. PR #10469 by @yogabonito. - ✏️ Fix typo in
docs/en/docs/reference/index.md. PR #10467 by @tarsil. - 🔥 Remove unnecessary duplicated docstrings. PR #10484 by @tiangolo.
Internal
- ✏️ Update Pydantic links to dotenv support. PR #10511 by @White-Mask.
- ✏️ Update links in
docs/en/docs/async.mdanddocs/zh/docs/async.mdto make them relative. PR #10498 by @hasnatsajid. - ✏️ Fix links in
docs/em/docs/async.md. PR #10507 by @hasnatsajid. - ✏️ Fix typo in
docs/em/docs/index.md, Python 3.8. PR #10521 by @kerriop. - ⬆ Bump pillow from 9.5.0 to 10.1.0. PR #10446 by @dependabot[bot].
- ⬆ Update mkdocs-material requirement from <9.0.0,>=8.1.4 to >=8.1.4,<10.0.0. PR #5862 by @dependabot[bot].
- ⬆ Bump mkdocs-material from 9.1.21 to 9.4.7. PR #10545 by @dependabot[bot].
- 👷 Install MkDocs Material Insiders only when secrets are available, for Dependabot. PR #10544 by @tiangolo.
- 🔧 Update sponsors badges, Databento. PR #10519 by @tiangolo.
- 👷 Adopt Ruff format. PR #10517 by @tiangolo.
- 🔧 Add
CITATION.cfffile for academic citations. PR #10496 by @tiangolo. - 🐛 Fix overriding MKDocs theme lang in hook. PR #10490 by @tiangolo.
- 🔥 Drop/close Gitter chat. Questions should go to GitHub Discussions, free conversations to Discord.. PR #10485 by @tiangolo.
v0.104.0
Features
- ✨ Add reference (code API) docs with PEP 727, add subclass with custom docstrings for
BackgroundTasks, refactor docs structure. PR #10392 by @tiangolo. New docs at FastAPI Reference - Code API.
Upgrades
- ⬆️ Drop support for Python 3.7, require Python 3.8 or above. PR #10442 by @tiangolo.
Internal
- ⬆ Bump dawidd6/action-download-artifact from 2.27.0 to 2.28.0. PR #10268 by @dependabot[bot].
- ⬆ Bump actions/checkout from 3 to 4. PR #10208 by @dependabot[bot].
- ⬆ Bump pypa/gh-action-pypi-publish from 1.8.6 to 1.8.10. PR #10061 by @dependabot[bot].
- 🔧 Update sponsors, Bump.sh images. PR #10381 by @tiangolo.
- 👥 Update FastAPI People. PR #10363 by @tiangolo.
v0.103.2
Refactors
- ⬆️ Upgrade compatibility with Pydantic v2.4, new renamed functions and JSON Schema input/output models with default values. PR #10344 by [@R
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
