PyPI - cello-framework - Versions diffs - 1.2.1__tar.gz → 1.2.2__tar.gz - Mend

cello-framework 1.2.1tar.gz → 1.2.2tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (288) hide show

{cello_framework-1.2.1 → cello_framework-1.2.2}/CLAUDE.md RENAMED Viewed

@@ -4,7 +4,7 @@
 **Cello** is an ultra-fast, Rust-powered Python async web framework designed to achieve C-level performance on the hot path while maintaining Python's developer experience. It's the successor to frameworks like FastAPI, Robyn, and Litestar, combining their best features with pure Rust implementation for maximum performance.
-**Version:** 1.1.0
+**Version:** 1.2.2
 **License:** MIT
 **Python Requirement:** 3.12+
 **Author:** Jagadeesh Katla
@@ -346,7 +346,8 @@ def handle_value_error(request, exc):
 ## Version History
-- **v1.2.1**: Bug fixes — server port never bound (`pyo3_asyncio` replaced with native `py.allow_threads` + `tokio::block_on`); `ProblemDetails` was missing from Python module export; `And`/`Or` guards now accept both `*args` and list styles; doc corrections (`type_uri` not `type_url`)
+- **v1.2.2**: Security & bug fixes — CSRF `HttpOnly` on double-submit cookie (critical, broke all AJAX CSRF); all middleware `skip_path` prefix bypass fixed via `path_matches_skip()` helper; `FixedWindowStore` window_start never updated after reset; unused `mut` cleaned in minijinja tests
+- **v1.2.1**: Bug fixes — server port never bound (`pyo3_asyncio` replaced with native `py.allow_threads` + `tokio::block_on`); `ProblemDetails` was missing from Python module export; `And`/`Or` guards now accept both `*args` and list styles; CSRF `HttpOnly` removed from double-submit cookie (JS must read it); `FixedWindowStore` window_start never updated after reset; all middleware `skip_path` used raw `starts_with` allowing prefix bypass; doc corrections (`type_uri` not `type_url`)
 - **v1.2.0**: Bug fixes (shutdown coroutine never awaited, KeyboardInterrupt in shutdown handler, `request.redis` AttributeError); Redis Lua scripting (`eval`, `evalsha`, `script_load`); Rust-native `AsyncClient` backed by `reqwest + Tokio` — GIL never held during HTTP I/O, HTTP/2, gzip, rustls
 - **v1.1.0**: MiniJinja Jinja2-compatible template engine (`MiniJinjaEngine`, `App.enable_templates()`, `App.render()`, `App.render_string()`); minijinja 2 Rust crate; HTML auto-escaping; globals; 47 new tests; 6 examples
 - **v1.0.1**: Cross-platform fixes (Windows multi-worker, signal handling, UNC paths; ARM JSON fallback; Linux-only CPU affinity), async compatibility fixes (handler validation, guards, cache decorator, blueprints), guards and database exports in `__all__`

{cello_framework-1.2.1 → cello_framework-1.2.2}/Cargo.lock RENAMED Viewed

@@ -341,7 +341,7 @@ dependencies = [
 [[package]]
 name = "cello-framework"
-version = "1.2.1"
+version = "1.2.2"
 dependencies = [
  "async-graphql",
  "async-graphql-value",

{cello_framework-1.2.1 → cello_framework-1.2.2}/Cargo.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [package]
 name = "cello-framework"
-version = "1.2.1"
+version = "1.2.2"
 edition = "2021"
 description = "Ultra-fast Rust-powered Python async web framework"
 license = "MIT"

{cello_framework-1.2.1 → cello_framework-1.2.2}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cello-framework
-Version: 1.2.1
+Version: 1.2.2
 Classifier: Development Status :: 5 - Production/Stable
 Classifier: Intended Audience :: Developers
 Classifier: License :: OSI Approved :: MIT License

{cello_framework-1.2.1 → cello_framework-1.2.2}/docs/releases/v1.2.1.md RENAMED Viewed

@@ -100,6 +100,64 @@ admin_or_editor = Or(RoleGuard(["admin"]), RoleGuard(["editor"]))
 ---
+### CSRF Cookie Readable by JavaScript (Security)
+**Symptom:** AJAX/SPA applications using CSRF protection failed all POST/PUT/DELETE requests with 403.
+**Root cause:** The CSRF double-submit cookie was set with the `HttpOnly` flag. This prevents
+JavaScript from reading the cookie value, making it impossible for the frontend to copy it into
+the `X-CSRF-Token` header — which is the entire point of the double-submit pattern.
+**Fix:** Removed `HttpOnly` from the CSRF cookie. The CSRF cookie is intentionally readable by
+JavaScript; the session cookie (where sensitive data lives) remains `HttpOnly`.
+```javascript
+// Now works — JS can read the CSRF cookie and send it back
+const csrf = document.cookie.match(/_csrf=([^;]+)/)?.[1];
+fetch("/api/data", {
+    method: "POST",
+    headers: { "X-CSRF-Token": csrf },
+    body: JSON.stringify(data),
+});
+```
+---
+### Rate Limiter Fixed-Window Counter Reset (Bug)
+**Symptom:** After the first rate-limit window expired, the fixed-window counter reset to zero
+on every single subsequent request, making rate limiting completely ineffective.
+**Root cause:** When the time window rolled over, `entry.count` was reset to 0 but
+`entry.window_start` was never updated to the new window. Every request in the new window
+saw `window_start != current_window` and reset the counter again.
+**Fix:** Update `entry.window_start = current_window` alongside the count reset.
+---
+### Auth Skip-Path Prefix Bypass (Security)
+**Symptom:** Calling `skip_path("/health")` to exclude the health endpoint from authentication
+also excluded `/healthz`, `/healthy`, and any other path starting with `/health`.
+**Root cause:** Path matching used `request.path.starts_with(skip_path)` without checking that
+the following character is `/` or end-of-string.
+**Fix:** Path is now only skipped when it equals the pattern exactly or starts with
+`{pattern}/`. Affects `JwtAuth`, `BasicAuth`, `ApiKeyAuth`, `RateLimitMiddleware`,
+`SessionMiddleware`, `CsrfMiddleware`, and `GuardsMiddleware`.
+```python
+# Before: /healthz would also be skipped (security bypass)
+jwt.skip_path("/health")
+# After: only /health and /health/* are skipped
+jwt.skip_path("/health")
+```
+---
 ## Upgrade
 ```bash

cello_framework-1.2.2/docs/releases/v1.2.2.md ADDED Viewed

@@ -0,0 +1,131 @@
+---
+title: v1.2.2 Release Notes
+description: Cello Framework v1.2.2 — Security & Bug Fixes
+tags:
+  - v1.2.2
+  - Release Notes
+  - Security
+  - Bug Fixes
+---
+# Cello v1.2.2 — Security & Bug Fixes
+**Release Date:** June 14, 2026
+**License:** MIT
+**Python:** 3.12+
+---
+## Overview
+Cello v1.2.2 is a patch release that fixes one critical security bug, one security
+vulnerability, and two correctness bugs discovered during a thorough code review of v1.2.1.
+All changes are fully backwards-compatible.
+**Upgrade immediately** if you use CSRF protection or authentication middleware skip-paths.
+---
+## Security Fixes
+### CSRF Double-Submit Cookie Was `HttpOnly` (Critical)
+**Symptom:** AJAX applications and SPAs using `CsrfMiddleware` received 403 on every
+POST/PUT/DELETE request, even when the CSRF token was correctly set.
+**Root cause:** The CSRF double-submit cookie was set with `HttpOnly`, which prevents
+JavaScript from reading cookie values. The double-submit pattern *requires* JavaScript
+to read the cookie and copy its value into the `X-CSRF-Token` request header. With
+`HttpOnly` set, this was impossible — every state-changing request failed CSRF validation.
+**Fix:** Removed `HttpOnly` from the CSRF token cookie. The CSRF cookie is intentionally
+readable by JavaScript (that is the design). Your session cookie, which holds sensitive
+data, remains `HttpOnly`.
+```javascript
+// Now works — JavaScript can read the CSRF cookie
+const csrf = document.cookie.match(/_csrf=([^;]+)/)?.[1];
+fetch("/api/submit", {
+    method: "POST",
+    headers: { "X-CSRF-Token": csrf, "Content-Type": "application/json" },
+    body: JSON.stringify({ name: "Alice" }),
+});
+```
+---
+### Auth Middleware `skip_path` Allowed Prefix Bypass (Security)
+**Symptom:** Calling `jwt.skip_path("/health")` to exclude the health-check endpoint
+from authentication also excluded `/healthz`, `/healthy`, `/health-admin`, and any
+other path whose string representation started with `/health`.
+**Root cause:** All middleware used `request.path.starts_with(skip_path)` with no
+boundary check. An attacker aware of a skipped path could craft a URL that bypasses
+authentication.
+**Affected middleware:** `JwtAuth`, `BasicAuth`, `ApiKeyAuth`, `RateLimitMiddleware`,
+`SessionMiddleware`, `CsrfMiddleware`, `GuardsMiddleware`.
+**Fix:** Paths are now only skipped when:
+- The path **exactly equals** the pattern, or
+- The path **starts with** `{pattern}/` (sub-path match).
+```python
+# Before: /healthz was also skipped — security bypass
+jwt_auth.skip_path("/health")
+# After: only /health and /health/* are skipped
+jwt_auth.skip_path("/health")
+```
+---
+## Bug Fixes
+### Rate Limiter Fixed-Window Counter Broke After First Window
+**Symptom:** After the first time-window expired, the `FixedWindowStore` rate limiter
+stopped enforcing limits entirely — every request was allowed regardless of how many
+had been made.
+**Root cause:** When the window rolled over, the per-client entry's `count` was reset
+to 0 but `window_start` was never updated to the new window ID. Every subsequent
+request also saw `window_start != current_window` and reset the counter to 0 again,
+making the limiter permanently ineffective after the first window.
+**Fix:** `window_start` is now updated to `current_window` alongside the count reset.
+---
+### Unused `mut` Warnings in Template Engine Tests
+Five test functions in `minijinja_engine.rs` declared `let mut env = Environment::new()`
+where `mut` was not needed (the variable was never mutated after construction). These
+were cleaned up to eliminate Clippy warnings.
+---
+## Files Changed
+| File | Change |
+|------|--------|
+| `src/middleware/csrf.rs` | Remove `HttpOnly` from CSRF cookie |
+| `src/middleware/mod.rs` | Add `path_matches_skip()` shared helper |
+| `src/middleware/auth.rs` | Use `path_matches_skip()` in JWT/Basic/ApiKey |
+| `src/middleware/session.rs` | Use `path_matches_skip()` |
+| `src/middleware/rate_limit.rs` | Use `path_matches_skip()`; fix `window_start` reset |
+| `src/middleware/guards.rs` | Use `path_matches_skip()` |
+| `src/minijinja_engine.rs` | Remove unused `mut` from test bindings |
+---
+## Upgrade
+```bash
+pip install --upgrade cello-framework==1.2.2
+```
+Drop-in replacement for v1.2.1. No API changes.

{cello_framework-1.2.1 → cello_framework-1.2.2}/mkdocs.yml RENAMED Viewed

@@ -364,6 +364,7 @@ nav:
   - Release Notes:
     - releases/index.md
+    - v1.2.2: releases/v1.2.2.md
     - v1.2.1: releases/v1.2.1.md
     - v1.2.0: releases/v1.2.0.md
     - v1.1.0: releases/v1.1.0.md

{cello_framework-1.2.1 → cello_framework-1.2.2}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "maturin"
 [project]
 name = "cello-framework"
-version = "1.2.1"
+version = "1.2.2"
 description = "Ultra-fast Rust-powered Python async web framework"
 readme = "README.md"
 license = { text = "MIT" }

{cello_framework-1.2.1 → cello_framework-1.2.2}/python/cello/__init__.py RENAMED Viewed

@@ -296,7 +296,7 @@ __all__ = [
     "validate_rate_limit_config",
     "validate_tls_config",
 ]
-__version__ = "1.2.1"
+__version__ = "1.2.2"
 class Blueprint:

{cello_framework-1.2.1 → cello_framework-1.2.2}/src/middleware/auth.rs RENAMED Viewed

@@ -14,7 +14,7 @@ use std::sync::Arc;
 use std::time::{Duration, SystemTime, UNIX_EPOCH};
 use subtle::ConstantTimeEq;
-use super::{Middleware, MiddlewareAction, MiddlewareError, MiddlewareResult};
+use super::{path_matches_skip, Middleware, MiddlewareAction, MiddlewareError, MiddlewareResult};
 use crate::request::Request;
 use crate::response::Response;
@@ -299,7 +299,7 @@ impl Middleware for JwtAuth {
     fn before(&self, request: &mut Request) -> MiddlewareResult {
         // Check if path should be skipped
         for skip_path in &self.skip_paths {
-            if request.path.starts_with(skip_path) {
+            if path_matches_skip(&request.path, skip_path) {
                 return Ok(MiddlewareAction::Continue);
             }
         }
@@ -421,7 +421,7 @@ impl Middleware for BasicAuth {
     fn before(&self, request: &mut Request) -> MiddlewareResult {
         // Check if path should be skipped
         for skip_path in &self.skip_paths {
-            if request.path.starts_with(skip_path) {
+            if path_matches_skip(&request.path, skip_path) {
                 return Ok(MiddlewareAction::Continue);
             }
         }
@@ -591,7 +591,7 @@ impl Middleware for ApiKeyAuth {
     fn before(&self, request: &mut Request) -> MiddlewareResult {
         // Check if path should be skipped
         for skip_path in &self.skip_paths {
-            if request.path.starts_with(skip_path) {
+            if path_matches_skip(&request.path, skip_path) {
                 return Ok(MiddlewareAction::Continue);
             }
         }

{cello_framework-1.2.1 → cello_framework-1.2.2}/src/middleware/csrf.rs RENAMED Viewed

@@ -13,7 +13,7 @@ use sha2::Sha256;
 use std::time::{Duration, SystemTime, UNIX_EPOCH};
 use subtle::ConstantTimeEq;
-use super::{Middleware, MiddlewareAction, MiddlewareError, MiddlewareResult};
+use super::{path_matches_skip, Middleware, MiddlewareAction, MiddlewareError, MiddlewareResult};
 use crate::request::Request;
 use crate::response::Response;
@@ -316,7 +316,7 @@ impl CsrfMiddleware {
     /// Check if path should skip CSRF.
     fn should_skip(&self, path: &str) -> bool {
-        self.config.skip_paths.iter().any(|p| path.starts_with(p))
+        self.config.skip_paths.iter().any(|p| path_matches_skip(path, p))
     }
     /// Extract token from cookie.
@@ -389,7 +389,8 @@ impl CsrfMiddleware {
             cookie.push_str("; Secure");
         }
-        cookie.push_str("; HttpOnly");
+        // CSRF double-submit cookie must NOT be HttpOnly — JavaScript needs to
+        // read this value to send it back in the X-CSRF-Token request header.
         cookie.push_str(&format!("; SameSite={}", self.config.cookie_same_site));
         cookie

{cello_framework-1.2.1 → cello_framework-1.2.2}/src/middleware/guards.rs RENAMED Viewed

@@ -10,7 +10,7 @@
 use std::collections::HashSet;
 use std::sync::Arc;
-use super::{Middleware, MiddlewareAction, MiddlewareError, MiddlewareResult};
+use super::{path_matches_skip, Middleware, MiddlewareAction, MiddlewareError, MiddlewareResult};
 use crate::request::Request;
 use pyo3::prelude::*;
@@ -547,7 +547,7 @@ impl Middleware for GuardsMiddleware {
         // Check if path should be skipped
         for skip_path in &self.skip_paths {
-            if request.path.starts_with(skip_path) {
+            if path_matches_skip(&request.path, skip_path) {
                 return Ok(MiddlewareAction::Continue);
             }
         }

{cello_framework-1.2.1 → cello_framework-1.2.2}/src/middleware/mod.rs RENAMED Viewed

@@ -201,6 +201,19 @@ impl MiddlewareError {
     }
 }
+/// Check if a request path matches a skip pattern.
+///
+/// Matches when:
+/// - `path == pattern` (exact match), or
+/// - `path` starts with `pattern/` (sub-path match)
+///
+/// Without the trailing-slash check, a pattern like `/health` would also
+/// skip `/healthz`, allowing an auth bypass.
+#[inline]
+pub(super) fn path_matches_skip(path: &str, pattern: &str) -> bool {
+    path == pattern || path.starts_with(&format!("{}/", pattern))
+}
 impl std::fmt::Display for MiddlewareError {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         if let Some(code) = &self.code {

{cello_framework-1.2.1 → cello_framework-1.2.2}/src/middleware/rate_limit.rs RENAMED Viewed

@@ -11,7 +11,7 @@ use std::sync::atomic::{AtomicU64, Ordering};
 use std::sync::Arc;
 use std::time::{Duration, Instant, SystemTime, UNIX_EPOCH};
-use super::{Middleware, MiddlewareAction, MiddlewareResult};
+use super::{path_matches_skip, Middleware, MiddlewareAction, MiddlewareResult};
 use crate::request::Request;
 use crate::response::Response;
@@ -563,7 +563,7 @@ impl RateLimitStore for FixedWindowStore {
         let current_window = self.current_window();
         let reset_time = (current_window + 1) * self.window_seconds;
-        let entry = self
+        let mut entry = self
             .windows
             .entry(key.to_string())
             .or_insert_with(|| FixedWindowState {
@@ -571,10 +571,10 @@ impl RateLimitStore for FixedWindowStore {
                 window_start: current_window,
             });
-        // Check if window has changed
+        // Reset counter when window rolls over
         if entry.window_start != current_window {
             entry.count.store(0, Ordering::SeqCst);
-            // Note: This is a simplified approach; in production, use compare_exchange
+            entry.window_start = current_window;
         }
         let count = entry.count.fetch_add(1, Ordering::SeqCst);
@@ -848,7 +848,7 @@ impl Middleware for RateLimitMiddleware {
     fn before(&self, request: &mut Request) -> MiddlewareResult {
         // Check if path should be skipped
         for skip_path in &self.skip_paths {
-            if request.path.starts_with(skip_path) {
+            if path_matches_skip(&request.path, skip_path) {
                 return Ok(MiddlewareAction::Continue);
             }
         }

{cello_framework-1.2.1 → cello_framework-1.2.2}/src/middleware/session.rs RENAMED Viewed

@@ -14,7 +14,7 @@ use std::collections::HashMap;
 use std::sync::Arc;
 use std::time::{Duration, Instant, SystemTime, UNIX_EPOCH};
-use super::{Middleware, MiddlewareAction, MiddlewareResult};
+use super::{path_matches_skip, Middleware, MiddlewareAction, MiddlewareResult};
 use crate::request::Request;
 use crate::response::Response;
@@ -486,7 +486,7 @@ impl Middleware for SessionMiddleware {
     fn before(&self, request: &mut Request) -> MiddlewareResult {
         // Check if path should be skipped
         for skip_path in &self.skip_paths {
-            if request.path.starts_with(skip_path) {
+            if path_matches_skip(&request.path, skip_path) {
                 return Ok(MiddlewareAction::Continue);
             }
         }
@@ -513,7 +513,7 @@ impl Middleware for SessionMiddleware {
     fn after(&self, request: &Request, response: &mut Response) -> MiddlewareResult {
         // Check if path was skipped
         for skip_path in &self.skip_paths {
-            if request.path.starts_with(skip_path) {
+            if path_matches_skip(&request.path, skip_path) {
                 return Ok(MiddlewareAction::Continue);
             }
         }

{cello_framework-1.2.1 → cello_framework-1.2.2}/src/minijinja_engine.rs RENAMED Viewed

@@ -361,7 +361,7 @@ mod tests {
     #[test]
     fn test_render_if_block() {
-        let mut env = Environment::new();
+        let env = Environment::new();
         let tmpl = "{% if active %}yes{% else %}no{% endif %}";
         let result = env
             .render_str(tmpl, serde_json::json!({ "active": true }))
@@ -371,7 +371,7 @@ mod tests {
     #[test]
     fn test_render_for_loop() {
-        let mut env = Environment::new();
+        let env = Environment::new();
         let tmpl = "{% for i in items %}{{ i }},{% endfor %}";
         let result = env
             .render_str(tmpl, serde_json::json!({ "items": [1, 2, 3] }))
@@ -381,7 +381,7 @@ mod tests {
     #[test]
     fn test_render_filters() {
-        let mut env = Environment::new();
+        let env = Environment::new();
         let result = env
             .render_str("{{ name | upper }}", serde_json::json!({ "name": "cello" }))
             .unwrap();
@@ -390,7 +390,7 @@ mod tests {
     #[test]
     fn test_render_nested_dict() {
-        let mut env = Environment::new();
+        let env = Environment::new();
         let ctx = serde_json::json!({
             "user": { "name": "Alice", "age": 30 }
         });
@@ -445,7 +445,7 @@ mod tests {
     #[test]
     fn test_json_filter() {
-        let mut env = Environment::new();
+        let env = Environment::new();
         let result = env
             .render_str(
                 "{{ data | tojson }}",

{cello_framework-1.2.1 → cello_framework-1.2.2}/tests/test_cello.py RENAMED Viewed

@@ -1042,7 +1042,7 @@ def test_version():
     """Test that version is 1.2.0."""
     import cello
-    assert cello.__version__ == "1.2.0"
+    assert cello.__version__ == "1.2.2"
 def test_all_exports():
@@ -2203,7 +2203,7 @@ def test_version_v090():
     """Test that version is 1.2.0 (updated from 0.9.0)."""
     import cello
-    assert cello.__version__ == "1.2.0"
+    assert cello.__version__ == "1.2.2"
 def test_v090_exports_in_all():
@@ -3989,7 +3989,7 @@ def test_version_v0100():
     """Test that version is 1.2.0."""
     import cello
-    assert cello.__version__ == "1.2.0"
+    assert cello.__version__ == "1.2.2"
 def test_v0100_exports_in_all():

{cello_framework-1.2.1 → cello_framework-1.2.2}/tests/test_minijinja.py RENAMED Viewed

@@ -480,4 +480,4 @@ class TestComplexContextTypes:
 def test_version_is_1_2_0():
     import cello
-    assert cello.__version__ == "1.2.0"
+    assert cello.__version__ == "1.2.2"