Skip to content

fix(deps): pin starlette>=1.0.1 to fix BadHost (CVE-2026-48710)#438

Merged
oleksandr-nc merged 1 commit into
mainfrom
fix/starlette-badhost-cve-2026-48710
Jun 2, 2026
Merged

fix(deps): pin starlette>=1.0.1 to fix BadHost (CVE-2026-48710)#438
oleksandr-nc merged 1 commit into
mainfrom
fix/starlette-badhost-cve-2026-48710

Conversation

@oleksandr-nc
Copy link
Copy Markdown
Contributor

@oleksandr-nc oleksandr-nc commented Jun 2, 2026
edited
Loading

Summary

Remediates BadHost (CVE-2026-48710), a Host-header path-confusion vulnerability in Starlette ≤ 1.0.0 that can bypass path-based authorization. The fix lives in Starlette 1.0.1.

FastAPI does not cap Starlette (even latest 0.136.3 only requires starlette>=0.46.0), so bumping FastAPI alone does not guarantee a fixed Starlette, and an explicit floor is required. nc_py_api also imports starlette directly (_session.py, ex_app/integration_fastapi.py), so declaring it is correct regardless.

Changes

The version bump (_version.py to 0.30.2) is intentionally omitted here; it lands in the [publish] commit on main after merge.

Compatibility

  • Keeps Python >=3.10 (FastAPI 0.133+ and Starlette 1.x both require >=3.10).
  • Verified: under these constraints pip upgrades the vulnerable Starlette from 1.0.0 to 1.2.1; import nc_py_api succeeds.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Jun 2, 2026
edited
Loading

Review Change Stack

📝 Walkthrough

Walkthrough

Adds release notes for v0.30.2 and updates dependency constraints: pins starlette>=1.0.1 and raises fastapi>=0.133; CHANGELOG notes that download_directory_as_zip no longer guarantees archive entry ordering.

Changes

Release 0.30.2

Layer / File(s) Summary
Release 0.30.2 changelog and dependency pins
CHANGELOG.md, pyproject.toml		 CHANGELOG.md adds the 0.30.2 release entry (Changed: non-guaranteed archive ordering; Security: starlette/fastapi pins). pyproject.toml updates dependencies: starlette>=1.0.1, fastapi>=0.133, python-dotenv>=1.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the primary change: pinning starlette>=1.0.1 to address CVE-2026-48710, which is the main security remediation in this PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/starlette-badhost-cve-2026-48710

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@oleksandr-nc oleksandr-nc force-pushed the fix/starlette-badhost-cve-2026-48710 branch from 0847660 to 7b7a0cb Compare June 2, 2026 08:13
coderabbitai[bot]
coderabbitai Bot reviewed Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CHANGELOG.md`:
- Line 13: Update the CHANGELOG entry that pins "starlette>=1.0.1" and claims
"fastapi >=0.133" by removing or correcting the unsupported FastAPI floor:
locate the sentence containing the FastAPI floor reference (`>=0.133`) and
either replace it with the exact FastAPI release that actually adopted Starlette
1.0+ (verify via PR `#14987` / FastAPI release notes) or change the wording to
state "a FastAPI release that includes Starlette 1.0+ support" / "ensure FastAPI
is a release compatible with Starlette 1.0+" so the rationale only claims the
verified mapping rather than the unsupported `>=0.133` number.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9c40c4cc-11fa-4f42-bbef-2e3af1cc6afb

📥 Commits

Reviewing files that changed from the base of the PR and between 0847660 and 7b7a0cb.

📒 Files selected for processing (2)
  • CHANGELOG.md
  • pyproject.toml

Comment thread CHANGELOG.md
@oleksandr-nc oleksandr-nc merged commit d2acdc7 into main Jun 2, 2026
17 checks passed
@oleksandr-nc oleksandr-nc deleted the fix/starlette-badhost-cve-2026-48710 branch June 2, 2026 08:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@oleksandr-nc