streamlit-nightly 1.53.2.dev20260131__py3-none-any.whl → 1.53.2.dev20260203__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (205) hide show
  1. streamlit/commands/execution_control.py +2 -2
  2. streamlit/commands/logo.py +6 -10
  3. streamlit/components/v2/component_path_utils.py +17 -29
  4. streamlit/config.py +4 -2
  5. streamlit/delta_generator.py +2 -0
  6. streamlit/elements/lib/column_types.py +6 -2
  7. streamlit/elements/lib/utils.py +6 -6
  8. streamlit/elements/markdown.py +0 -1
  9. streamlit/elements/metric.py +2 -1
  10. streamlit/elements/widgets/button_group.py +6 -276
  11. streamlit/elements/widgets/feedback.py +322 -0
  12. streamlit/elements/widgets/number_input.py +2 -1
  13. streamlit/elements/widgets/slider.py +2 -1
  14. streamlit/material_icon_names.py +1 -1
  15. streamlit/path_security.py +98 -0
  16. streamlit/proto/AudioInput_pb2.py +4 -4
  17. streamlit/proto/AudioInput_pb2.pyi +3 -3
  18. streamlit/proto/Audio_pb2.py +2 -2
  19. streamlit/proto/BackMsg_pb2.pyi +2 -10
  20. streamlit/proto/Balloons_pb2.pyi +0 -2
  21. streamlit/proto/Block_pb2.py +35 -35
  22. streamlit/proto/ButtonGroup_pb2.py +10 -12
  23. streamlit/proto/ButtonGroup_pb2.pyi +6 -41
  24. streamlit/proto/Button_pb2.py +2 -2
  25. streamlit/proto/CameraInput_pb2.py +4 -4
  26. streamlit/proto/CameraInput_pb2.pyi +3 -3
  27. streamlit/proto/ChatInput_pb2.py +2 -2
  28. streamlit/proto/Checkbox_pb2.py +6 -6
  29. streamlit/proto/Checkbox_pb2.pyi +3 -3
  30. streamlit/proto/Code_pb2.py +2 -2
  31. streamlit/proto/ColorPicker_pb2.py +4 -4
  32. streamlit/proto/ColorPicker_pb2.pyi +3 -3
  33. streamlit/proto/Common_pb2.py +6 -6
  34. streamlit/proto/DateInput_pb2.py +4 -4
  35. streamlit/proto/DateInput_pb2.pyi +3 -3
  36. streamlit/proto/DateTimeInput_pb2.py +4 -4
  37. streamlit/proto/DateTimeInput_pb2.pyi +3 -3
  38. streamlit/proto/DeckGlJsonChart_pb2.py +2 -2
  39. streamlit/proto/Delta_pb2.py +2 -2
  40. streamlit/proto/DocString_pb2.py +1 -1
  41. streamlit/proto/Element_pb2.py +4 -4
  42. streamlit/proto/Element_pb2.pyi +9 -9
  43. streamlit/proto/Feedback_pb2.py +28 -0
  44. streamlit/proto/Feedback_pb2.pyi +93 -0
  45. streamlit/proto/FileUploader_pb2.py +4 -4
  46. streamlit/proto/FileUploader_pb2.pyi +3 -3
  47. streamlit/proto/ForwardMsg_pb2.py +8 -8
  48. streamlit/proto/GraphVizChart_pb2.py +2 -2
  49. streamlit/proto/IFrame_pb2.py +3 -3
  50. streamlit/proto/Image_pb2.py +4 -4
  51. streamlit/proto/Image_pb2.pyi +1 -7
  52. streamlit/proto/{BokehChart_pb2.py → LabelVisibility_pb2.py} +7 -5
  53. streamlit/proto/{LabelVisibilityMessage_pb2.pyi → LabelVisibility_pb2.pyi} +14 -14
  54. streamlit/proto/Markdown_pb2.py +4 -4
  55. streamlit/proto/Markdown_pb2.pyi +1 -5
  56. streamlit/proto/Metric_pb2.py +10 -10
  57. streamlit/proto/Metric_pb2.pyi +3 -3
  58. streamlit/proto/MultiSelect_pb2.py +4 -4
  59. streamlit/proto/MultiSelect_pb2.pyi +3 -3
  60. streamlit/proto/NewSession_pb2.py +38 -26
  61. streamlit/proto/NewSession_pb2.pyi +42 -8
  62. streamlit/proto/NumberInput_pb2.py +6 -6
  63. streamlit/proto/NumberInput_pb2.pyi +3 -3
  64. streamlit/proto/PlotlyChart_pb2.py +2 -2
  65. streamlit/proto/Radio_pb2.py +4 -4
  66. streamlit/proto/Radio_pb2.pyi +3 -3
  67. streamlit/proto/Selectbox_pb2.py +4 -4
  68. streamlit/proto/Selectbox_pb2.pyi +3 -6
  69. streamlit/proto/Slider_pb2.py +8 -8
  70. streamlit/proto/Slider_pb2.pyi +3 -3
  71. streamlit/proto/Snow_pb2.pyi +0 -2
  72. streamlit/proto/TextArea_pb2.py +4 -4
  73. streamlit/proto/TextArea_pb2.pyi +3 -3
  74. streamlit/proto/TextInput_pb2.py +6 -6
  75. streamlit/proto/TextInput_pb2.pyi +3 -3
  76. streamlit/proto/TimeInput_pb2.py +4 -4
  77. streamlit/proto/TimeInput_pb2.pyi +3 -3
  78. streamlit/proto/Video_pb2.py +2 -2
  79. streamlit/runtime/app_session.py +9 -1
  80. streamlit/static/index.html +2 -2
  81. streamlit/static/manifest.json +325 -310
  82. streamlit/static/static/css/{index.BUP6fTcR.css → index.C8MrxwGF.css} +1 -1
  83. streamlit/static/static/js/{ErrorOutline.esm.DC6KVDKK.js → ErrorOutline.esm.C9uHPmIj.js} +1 -1
  84. streamlit/static/static/js/{FileDownload.esm.Z9hRQIHi.js → FileDownload.esm.D-YPxF3t.js} +1 -1
  85. streamlit/static/static/js/{FileHelper.DqvW90pm.js → FileHelper.DQSH0zYW.js} +1 -1
  86. streamlit/static/static/js/{FormClearHelper.DTFnX0js.js → FormClearHelper.DQoXcOWo.js} +1 -1
  87. streamlit/static/static/js/{InputInstructions.CdzsN_Va.js → InputInstructions.C7VMyGT7.js} +1 -1
  88. streamlit/static/static/js/{Particles.12xFSjcn.js → Particles.BdQSRZde.js} +1 -1
  89. streamlit/static/static/js/{ProgressBar.Dg-oMbWg.js → ProgressBar.DNF_pWKr.js} +2 -2
  90. streamlit/static/static/js/{StreamlitSyntaxHighlighter.rbzmcipw.js → StreamlitSyntaxHighlighter.Cys9Bt18.js} +2 -2
  91. streamlit/static/static/js/{TableChart.esm.CzJtGIR-.js → TableChart.esm.B9SMgSK4.js} +1 -1
  92. streamlit/static/static/js/{Toolbar.COH7NaOE.js → Toolbar.BXfC9Z-W.js} +1 -1
  93. streamlit/static/static/js/{WidgetLabelHelpIconInline.Dlc8f0Ji.js → WidgetLabelHelpIconInline.gkreC55g.js} +1 -1
  94. streamlit/static/static/js/{base-input.Q-zJLgRK.js → base-input.iB32RS3w.js} +4 -4
  95. streamlit/static/static/js/{checkbox.BKgWNdeI.js → checkbox.Bqz68SYq.js} +1 -1
  96. streamlit/static/static/js/{createDownloadLinkElement.6oO-YlYv.js → createDownloadLinkElement.YxVC9Qur.js} +1 -1
  97. streamlit/static/static/js/data-grid-overlay-editor.sBsdk5Xg.js +1 -0
  98. streamlit/static/static/js/{downloader.BBXcXdX1.js → downloader.Bzxqt3AW.js} +1 -1
  99. streamlit/static/static/js/{embed.CJzOXYBF.js → embed.CDzakah3.js} +1 -1
  100. streamlit/static/static/js/{es6.CdxPQzwJ.js → es6.CxCc4bfn.js} +2 -2
  101. streamlit/static/static/js/formatNumber.L8T7D36k.js +1 -0
  102. streamlit/static/static/js/{iconPosition.BVScIr6G.js → iconPosition.C47DkA-1.js} +1 -1
  103. streamlit/static/static/js/{iframeResizer.contentWindow.D_QHVqPM.js → iframeResizer.contentWindow.uEFLXEg3.js} +1 -1
  104. streamlit/static/static/js/{index.CvtybR-u.js → index.B3zULhHv.js} +1 -1
  105. streamlit/static/static/js/{index.DAyGxxdm.js → index.B60AZFRh.js} +3 -3
  106. streamlit/static/static/js/{index.BED2_zc7.js → index.BG4RxMOI.js} +1 -1
  107. streamlit/static/static/js/{index.CPc_uZux.js → index.BHyzKS4e.js} +45 -45
  108. streamlit/static/static/js/{index.Dud7RRHc.js → index.BVTW_o-a.js} +1 -1
  109. streamlit/static/static/js/{index.BQnLeHnr.js → index.BV_YgIHe.js} +3 -3
  110. streamlit/static/static/js/index.B_LfkwqU.js +2 -0
  111. streamlit/static/static/js/{index.DCe7fo-m.js → index.Ba8L-ulI.js} +1 -1
  112. streamlit/static/static/js/{index.DAfIQKfP.js → index.Bh5BZaHG.js} +2 -2
  113. streamlit/static/static/js/{index.DU68jVpM.js → index.Bnwh8oZr.js} +16 -16
  114. streamlit/static/static/js/index.BrZtYm2A.js +2 -0
  115. streamlit/static/static/js/index.BsrhCS7f.js +1 -0
  116. streamlit/static/static/js/{index.CxoREvnF.js → index.BuJPJSD7.js} +2 -2
  117. streamlit/static/static/js/{index.6DFY6LUF.js → index.BvHsyiyy.js} +1 -1
  118. streamlit/static/static/js/{index.Biyf9aUg.js → index.BwTkGOAy.js} +2 -2
  119. streamlit/static/static/js/{index.DNfyKqhQ.js → index.BwvxzVOo.js} +1 -1
  120. streamlit/static/static/js/{index.iXh5nbLZ.js → index.BzdcdLDK.js} +1 -1
  121. streamlit/static/static/js/{index.YULCxEtm.js → index.C1d2QjTR.js} +1 -1
  122. streamlit/static/static/js/index.C1uZrWog.js +1 -0
  123. streamlit/static/static/js/{index.C5oqIM3a.js → index.C5-TpWis.js} +1 -1
  124. streamlit/static/static/js/{index.D6OexhdL.js → index.C6dhwBSe.js} +1 -1
  125. streamlit/static/static/js/{index.y-pa6LIX.js → index.CAbQaUvi.js} +1 -1
  126. streamlit/static/static/js/{index.BSpYHDvk.js → index.CAbafj7s.js} +1 -1
  127. streamlit/static/static/js/{index.BDtN2n7T.js → index.CCLteRW6.js} +1 -1
  128. streamlit/static/static/js/{index.mSdC1FV6.js → index.CQ713nQM.js} +1 -1
  129. streamlit/static/static/js/index.CcBYyLfq.js +2 -0
  130. streamlit/static/static/js/{index.CBE2cIbj.js → index.CjBDVb1a.js} +1 -1
  131. streamlit/static/static/js/{index.BxQxTpWl.js → index.Ck0ZkOfK.js} +1 -1
  132. streamlit/static/static/js/{index.B80gSxrS.js → index.CzwJzgQs.js} +1 -1
  133. streamlit/static/static/js/{index.DyfvmNCy.js → index.D-9VyyiA.js} +1 -1
  134. streamlit/static/static/js/{index.nL1fkE1D.js → index.D2R3Co5f.js} +1 -1
  135. streamlit/static/static/js/{index.DZmBuE3z.js → index.D7L9gHlE.js} +3 -3
  136. streamlit/static/static/js/{index.BqxwnMem.js → index.DEKnCsY-.js} +2 -2
  137. streamlit/static/static/js/{index.D9v2Y8Gk.js → index.DHrByikW.js} +1 -1
  138. streamlit/static/static/js/index.DN_oudQl.js +1 -0
  139. streamlit/static/static/js/{index.DrcbvB2t.js → index.DO55kRo5.js} +1 -1
  140. streamlit/static/static/js/{index.BqbKiDp2.js → index.D_cvtSlg.js} +1 -1
  141. streamlit/static/static/js/{index.CrY1BsL3.js → index.DgqmsDCJ.js} +1 -1
  142. streamlit/static/static/js/{index.BtOoVQt7.js → index.DjgdCvlK.js} +1 -1
  143. streamlit/static/static/js/{index.BxMkW82k.js → index.DqhZqWYB.js} +1 -1
  144. streamlit/static/static/js/{index.bQJYmJ2T.js → index.Dtbj_oyb.js} +1 -1
  145. streamlit/static/static/js/{index.CUYi3FrD.js → index.QXukCzoh.js} +1 -1
  146. streamlit/static/static/js/{index.BiCbrx53.js → index.XJY9qZ6a.js} +1 -1
  147. streamlit/static/static/js/{index.GieKl4BG.js → index.aZRhdEuX.js} +1 -1
  148. streamlit/static/static/js/{index._1zqETQ9.js → index.fUsWkW8E.js} +1 -1
  149. streamlit/static/static/js/index.h2N-W51I.js +11 -0
  150. streamlit/static/static/js/index.iUHLeAvv.js +1 -0
  151. streamlit/static/static/js/{index.DRoJNzFX.js → index.kBgXO7Vv.js} +1 -1
  152. streamlit/static/static/js/{index.BSYebegS.js → index.kEL0HsUR.js} +1 -1
  153. streamlit/static/static/js/index.w7yKy9fh.js +6 -0
  154. streamlit/static/static/js/{input.BcC6sPE_.js → input.BCHJn1Cw.js} +1 -1
  155. streamlit/static/static/js/{main.TU5_aabd.js → main.23ZP6f1E.js} +1 -1
  156. streamlit/static/static/js/{memory.By_OTlI4.js → memory.D8f8Q4mO.js} +1 -1
  157. streamlit/static/static/js/number-overlay-editor.ZWvSpjJ5.js +9 -0
  158. streamlit/static/static/js/{pandasStylerUtils.3IiIKU9-.js → pandasStylerUtils.DlZ2GBs_.js} +1 -1
  159. streamlit/static/static/js/{sandbox.DnxTbWzV.js → sandbox.BH6D3KL9.js} +1 -1
  160. streamlit/static/static/js/sprintfjs.CtrdaGLQ.js +1 -0
  161. streamlit/static/static/js/{styled-components.BeEcZ0vW.js → styled-components.iD1HRMLc.js} +1 -1
  162. streamlit/static/static/js/{throttle.emUyC44c.js → throttle.DR7d9vp_.js} +1 -1
  163. streamlit/static/static/js/{timepicker.DZ_ZufYF.js → timepicker.Bd34xjcG.js} +4 -4
  164. streamlit/static/static/js/{toConsumableArray.DDV1bN1-.js → toConsumableArray.BDTTq1c5.js} +2 -2
  165. streamlit/static/static/js/uniqueId.Bd_Iuzvc.js +1 -0
  166. streamlit/static/static/js/useBasicWidgetState.BXKaD8DQ.js +1 -0
  167. streamlit/static/static/js/{useIntlLocale.BBDLbTq9.js → useIntlLocale.CysOvegI.js} +1 -1
  168. streamlit/static/static/js/{useTextInputAutoExpand.BIApLJKn.js → useTextInputAutoExpand.CVd5Hf2S.js} +1 -1
  169. streamlit/static/static/js/{useUpdateUiValue.DQ4RuJNC.js → useUpdateUiValue.CIUgfO8X.js} +1 -1
  170. streamlit/static/static/js/{useWaveformController.B0olyXLQ.js → useWaveformController.CDLqlnLv.js} +1 -1
  171. streamlit/static/static/js/{withCalculatedWidth.DYeqePuh.js → withCalculatedWidth.Ce1Zblb2.js} +1 -1
  172. streamlit/static/static/js/{withFullScreenWrapper.DtkUCO_d.js → withFullScreenWrapper.DBm7N75M.js} +1 -1
  173. streamlit/static/static/media/MaterialSymbols-Rounded.CnH1S47a.woff2 +0 -0
  174. streamlit/testing/v1/app_test.py +21 -5
  175. streamlit/testing/v1/element_tree.py +65 -2
  176. streamlit/web/server/app_static_file_handler.py +9 -0
  177. streamlit/web/server/bidi_component_request_handler.py +4 -4
  178. streamlit/web/server/component_file_utils.py +14 -6
  179. streamlit/web/server/component_request_handler.py +2 -2
  180. streamlit/web/server/starlette/starlette_app.py +7 -1
  181. streamlit/web/server/starlette/starlette_path_security_middleware.py +97 -0
  182. streamlit/web/server/starlette/starlette_routes.py +6 -3
  183. streamlit/web/server/starlette/starlette_static_routes.py +14 -4
  184. {streamlit_nightly-1.53.2.dev20260131.dist-info → streamlit_nightly-1.53.2.dev20260203.dist-info}/METADATA +1 -1
  185. {streamlit_nightly-1.53.2.dev20260131.dist-info → streamlit_nightly-1.53.2.dev20260203.dist-info}/RECORD +188 -184
  186. streamlit/proto/BokehChart_pb2.pyi +0 -56
  187. streamlit/proto/LabelVisibilityMessage_pb2.py +0 -28
  188. streamlit/static/static/js/data-grid-overlay-editor.CO0xdNiG.js +0 -1
  189. streamlit/static/static/js/formatNumber.DB5irY8c.js +0 -1
  190. streamlit/static/static/js/index.BBTKOM0z.js +0 -6
  191. streamlit/static/static/js/index.CE2WIFD1.js +0 -2
  192. streamlit/static/static/js/index.Cpu2p5bH.js +0 -1
  193. streamlit/static/static/js/index.CtbETWQK.js +0 -2
  194. streamlit/static/static/js/index.DAnczAW2.js +0 -2
  195. streamlit/static/static/js/index.DhRAGiPR.js +0 -1
  196. streamlit/static/static/js/index.DyXcT2tD.js +0 -11
  197. streamlit/static/static/js/index.tuFFlbxa.js +0 -1
  198. streamlit/static/static/js/number-overlay-editor.FSRaRpbU.js +0 -9
  199. streamlit/static/static/js/sprintf.DpPCfzXw.js +0 -1
  200. streamlit/static/static/js/uniqueId.DTwvAE-J.js +0 -1
  201. streamlit/static/static/js/useBasicWidgetState.DvpdEDYZ.js +0 -1
  202. streamlit/static/static/media/MaterialSymbols-Rounded.C7IFxh57.woff2 +0 -0
  203. {streamlit_nightly-1.53.2.dev20260131.dist-info → streamlit_nightly-1.53.2.dev20260203.dist-info}/WHEEL +0 -0
  204. {streamlit_nightly-1.53.2.dev20260131.dist-info → streamlit_nightly-1.53.2.dev20260203.dist-info}/entry_points.txt +0 -0
  205. {streamlit_nightly-1.53.2.dev20260131.dist-info → streamlit_nightly-1.53.2.dev20260203.dist-info}/top_level.txt +0 -0
streamlit/web/server/starlette/starlette_routes.py CHANGED
@@ -701,7 +701,8 @@ def create_component_routes(
701
701
  # Use build_safe_abspath to properly resolve symlinks and prevent traversal
702
702
  abspath = build_safe_abspath(component_root, filename)
703
703
  if abspath is None:
704
- raise HTTPException(status_code=403, detail="Forbidden")
704
+ # Return 400 for malicious paths (consistent with middleware behavior)
705
+ raise HTTPException(status_code=400, detail="Bad Request")
705
706
 
706
707
  try:
707
708
  async with await anyio.open_file(abspath, "rb") as file:
@@ -772,7 +773,8 @@ def create_bidi_component_routes(
772
773
 
773
774
  abspath = build_safe_abspath(component_root, filename)
774
775
  if abspath is None:
775
- return await _text_response("forbidden", 403)
776
+ # Return 400 for unsafe paths (matches Tornado behavior for opacity)
777
+ return await _text_response("Bad Request", 400)
776
778
 
777
779
  if await AsyncPath(abspath).is_dir():
778
780
  return await _text_response("not found", 404)
@@ -838,7 +840,8 @@ def create_app_static_serving_routes(
838
840
  relative_path = request.path_params.get("path", "")
839
841
  safe_path = build_safe_abspath(app_static_root, relative_path)
840
842
  if safe_path is None:
841
- raise HTTPException(status_code=404, detail="File not found")
843
+ # Return 400 for malicious paths (consistent with middleware behavior)
844
+ raise HTTPException(status_code=400, detail="Bad Request")
842
845
 
843
846
  async_path = AsyncPath(safe_path)
844
847
  if not await async_path.exists() or await async_path.is_dir():
streamlit/web/server/starlette/starlette_static_routes.py CHANGED
@@ -24,6 +24,7 @@ import os
24
24
  from typing import TYPE_CHECKING, Any, Final
25
25
 
26
26
  from streamlit import file_util
27
+ from streamlit.path_security import is_unsafe_path_pattern
27
28
  from streamlit.url_util import make_url_path
28
29
  from streamlit.web.server.routes import (
29
30
  NO_CACHE_PATTERN,
@@ -51,7 +52,7 @@ def create_streamlit_static_handler(
51
52
  - Long-term caching of hashed assets
52
53
  - No-cache for HTML/manifest files
53
54
  - Trailing slash redirect (301)
54
- - Double-slash protection (403 for protocol-relative URL security)
55
+ - Double-slash protection (400 for protocol-relative URL security)
55
56
  """
56
57
  from starlette.exceptions import HTTPException
57
58
  from starlette.responses import FileResponse, RedirectResponse, Response
@@ -74,10 +75,19 @@ def create_streamlit_static_handler(
74
75
  # Security check: Block paths starting with double slash (protocol-relative
75
76
  # URL protection). A path like //example.com could be misinterpreted as a
76
77
  # protocol-relative URL if redirected, which is a security risk.
77
- # This matches Tornado's behavior where such paths would escape the static
78
- # directory and trigger a 403 Forbidden.
79
78
  if path.startswith("//"):
80
- response = Response(content="Forbidden", status_code=403)
79
+ response = Response(content="Bad Request", status_code=400)
80
+ await response(scope, receive, send)
81
+ return
82
+
83
+ # Security check: Block UNC paths, absolute paths, drive-qualified paths,
84
+ # and path traversal patterns BEFORE any filesystem operations.
85
+ # See is_unsafe_path_pattern() docstring for details.
86
+ # Strip the leading slash since paths come in as "/filename" but we check
87
+ # the relative portion.
88
+ relative_path = path.lstrip("/")
89
+ if relative_path and is_unsafe_path_pattern(relative_path):
90
+ response = Response(content="Bad Request", status_code=400)
81
91
  await response(scope, receive, send)
82
92
  return
83
93
 
{streamlit_nightly-1.53.2.dev20260131.dist-info → streamlit_nightly-1.53.2.dev20260203.dist-info}/METADATA RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: streamlit-nightly
3
- Version: 1.53.2.dev20260131
3
+ Version: 1.53.2.dev20260203
4
4
  Summary: A faster way to build and share data apps
5
5
  Author-email: Snowflake Inc <hello@streamlit.io>
6
6
  License-Expression: Apache-2.0