From 15ec5f9a7dc40215953b3fd7b55f1e3f250228bf Mon Sep 17 00:00:00 2001 From: tech-sushant Date: Mon, 18 May 2026 18:09:01 +0530 Subject: [PATCH] security: force Accept-Encoding identity to mitigate urllib3 decompression bomb (CTO-4807) GHSA-mf9v-mfxr-j63j flags a decompression-bomb safeguard bypass in urllib3 < 2.7.0's streaming API. urllib3 2.7.0 requires Python >= 3.10 but the CI matrix still includes Python 3.9, so we cannot bump the pin. This patch installs a small monkey-patch on requests.adapters.HTTPAdapter that sets `Accept-Encoding: identity` on every outbound HTTP request. With no compressed responses ever arriving, urllib3's decompression code path is never exercised at runtime and the bug cannot trigger. - New module: EnigmaAutomation/security_mitigations.py - Imported once from EnigmaAutomation/__init__.py so it loads in every process (Django web, manage.py CLI, celery workers, pytest with DJANGO_SETTINGS_MODULE set). Note: SCA scanners detect by version, not behavior, so CTO-4807 will still flag urllib3==2.6.3. Requesting a risk-acceptance from security with this mitigation as justification, pending the Python upgrade that unblocks urllib3 2.7.0. Co-Authored-By: Claude Opus 4.7 --- EnigmaAutomation/__init__.py | 1 + EnigmaAutomation/security_mitigations.py | 35 ++++++++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 EnigmaAutomation/security_mitigations.py diff --git a/EnigmaAutomation/__init__.py b/EnigmaAutomation/__init__.py index 53f4ccb1..492e4812 100644 --- a/EnigmaAutomation/__init__.py +++ b/EnigmaAutomation/__init__.py @@ -1,3 +1,4 @@ +from . import security_mitigations # noqa: F401 applied at import time from .celery import app as celery_app __all__ = ("celery_app",) diff --git a/EnigmaAutomation/security_mitigations.py b/EnigmaAutomation/security_mitigations.py new file mode 100644 index 00000000..3cdaad61 --- /dev/null +++ b/EnigmaAutomation/security_mitigations.py @@ -0,0 +1,35 @@ +""" +Runtime security mitigations applied at process startup. + +Each mitigation here should reference the ticket / advisory it addresses +and be removed once the underlying issue is properly resolved (typically +by a dependency upgrade). +""" + +import requests.adapters + + +_original_send = requests.adapters.HTTPAdapter.send + + +def _force_identity_encoding(self, request, *args, **kwargs): + """Mitigation for GHSA-mf9v-mfxr-j63j (CTO-4807). + + urllib3 < 2.7.0 has a decompression-bomb safeguard bypass in parts of + its streaming API. urllib3 2.7.0 (the patched version) requires + Python >= 3.10, but this project's CI matrix still includes Python 3.9 + so we cannot bump the pin. + + Forcing Accept-Encoding: identity on every outbound HTTP request makes + servers return uncompressed bodies, so urllib3's decompression code + path is never exercised at runtime and the bug cannot trigger. + + Remove this patch (and the import from EnigmaAutomation/__init__.py) + once the Python runtime is upgraded and urllib3 can be bumped to + >= 2.7.0. + """ + request.headers["Accept-Encoding"] = "identity" + return _original_send(self, request, *args, **kwargs) + + +requests.adapters.HTTPAdapter.send = _force_identity_encoding