chore(deps): update dependency authlib to v1.6.11 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
authlib	1.6.9 → 1.6.11

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Authlib: Cross-site request forging when using cache

GHSA-jj8c-mmj3-mmgv

More information

Details

Summary

There is no CSRF protection on the cache feature on most integrations clients.

Details

In authlib.integrations.starlette_client.OAuth, no CSRF protection is set up when using the cache parameter. When not using the cache parameter, the use of SessionMiddleware ties the client to the auth state, preventing CSRF attacks. With the cache, there is no such mechanism. Other integratons have the same issue, it's not just starlette.

The state parameter is taken from the callback URL and the state is fetched from the cache without checking that it is the same client calling the redirect endpoint as was the one that initiated the auth flow.

This issue is documented in RFC 6749 section 10.12:
https://datatracker.ietf.org/doc/html/rfc6749#section-10.12

PoC

• Set up a Starlette integration with a cache
• The attacker starts the auth flow up until before the callback URL is followed.
• The attacked sends the redirect URL to the victim
• The victim now completes the authorisation

Impact

This impacts all users that use the cache to store auth state.

All users will be vulnerable to CSRF attacks and may have an attacker's account tied to their own. In our specific scenario, this allowed attackers to push invoices into a victim's account, ready to be paid. Very serious.

Severity

• CVSS Score: 5.4 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

References

• https://github.com/authlib/authlib/security/advisories/GHSA-jj8c-mmj3-mmgv
• https://github.com/advisories/GHSA-jj8c-mmj3-mmgv

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

authlib/authlib (authlib)

v1.6.11

Compare Source

Full Changelog: authlib/authlib@v1.6.10...v1.6.11

• Fix CSRF issue with starlette client

v1.6.10

Compare Source

Full Changelog: authlib/authlib@v1.6.9...v1.6.10

• Fix redirecting to unvalidated redirect_uri on UnsupportedResponseTypeError.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.21%. Comparing base (426436e) to head (3e594b6).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1021   +/-   ##
=======================================
  Coverage   77.21%   77.21%           
=======================================
  Files         116      116           
  Lines       12065    12065           
  Branches      996      996           
=======================================
  Hits         9316     9316           
  Misses       2520     2520           
  Partials      229      229           

Flag	Coverage Δ		*Carryforward flag
agent	75.78% <ø> (ø)		Carriedforward from 426436e
cli	91.80% <ø> (ø)		Carriedforward from 426436e
device	63.34% <ø> (ø)		Carriedforward from 426436e
server	86.92% <ø> (ø)

*This pull request uses carry forward flags. Click here to find out more.

Components	Coverage Δ
Agent	75.78% <ø> (ø)
CLI	91.80% <ø> (ø)
Common	∅ <ø> (∅)
Device Connectors	63.34% <ø> (ø)
Server	86.92% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.