graphql-python/gql

update `aiohttp` minimum dependency version to 3.8.0

irangareddy opened this issue · 1 comments

irangareddy commented

Describe the bug
Aiohttp 3.8.0 adds validation of HTTP header keys and values to prevent header injection
AFFECTED VERSIONS: <3.8.0
FIXED VERSIONS: 3.8.0

more about the vulnerability: https://pyup.io/vulnerabilities/PVE-2021-42692/42692/

To Reproduce
On any poetry python project, do following commands

clone https://github.com/eccenca/cmem-plugin-graphql

- cd cmem-plugin-graphql
- git checkout feature/mutationSupport-ECC-5299
- task poetry:install
- task check:safety

Expected behavior
on poetry run safety check all safety checks should pass.

System info:

  • OS: macOS 13.1
  • Python version: Python 3.9.6
  • gql version:
    gql 3.4.0 GraphQL client for Python
    ├── aiohttp >=3.7.1,<3.9.0
  • graphql-core version: graphql-core >=3.2,<3.3
leszekhanusz commented

I cannot see the vulnerability as I don't have a pyup.io account and it is impossible to register with a gmail email address...

But I suspect that the vulnerability concerns only the server part of aiohttp and not the client so that is probably not a problem for gql.