streamlit-nightly 1.53.2.dev20260202__py3-none-any.whl → 1.54.1.dev20260204__py3-none-any.whl

streamlit/elements/widgets/button_group.py

@@ -15,7 +15,6 @@
 from __future__ import annotations
 
 from collections.abc import Callable, Sequence
-from dataclasses import dataclass, field
 from typing import (
     TYPE_CHECKING,
     Any,
@@ -27,6 +26,7 @@ from typing import (
     overload,
 )
 
+from streamlit.dataframe_util import convert_anything_to_list
 from streamlit.elements.lib.form_utils import current_form_id
 from streamlit.elements.lib.layout_utils import (
     LayoutConfig,
@@ -34,9 +34,12 @@ from streamlit.elements.lib.layout_utils import (
     validate_width,
 )
 from streamlit.elements.lib.options_selector_utils import (
-    check_and_convert_to_indices,
     convert_to_sequence_and_check_comparable,
     get_default_indices,
+    maybe_coerce_enum,
+    maybe_coerce_enum_sequence,
+    validate_and_sync_multiselect_value_with_options,
+    validate_and_sync_value_with_options,
 )
 from streamlit.elements.lib.policies import (
     check_widget_policies,
@@ -77,96 +80,150 @@ V = TypeVar("V")
 SelectionMode: TypeAlias = Literal["single", "multi"]
 
 
-@dataclass
-class _MultiSelectSerde(Generic[T]):
-    """Only meant to be used internally for the button_group element.
+class _SingleSelectButtonGroupSerde(Generic[T]):
+    """String-based serde for single-select ButtonGroup widgets.
 
-    This serde is inspired by the MultiSelectSerde from multiselect.py. That serde has
-    been updated since then to support the accept_new_options parameter, which is not
-    required by the button_group element. If this changes again at some point,
-    the two elements can share the same serde again.
+    Uses string-based values (formatted option strings) for robust handling
+    of dynamic option changes.
     """
 
     options: Sequence[T]
-    default_value: list[int] = field(default_factory=list)
-
-    def serialize(self, value: list[T]) -> list[int]:
-        indices = check_and_convert_to_indices(self.options, value)
-        return indices if indices is not None else []
-
-    def deserialize(self, ui_value: list[int] | None) -> list[T]:
-        current_value: list[int] = (
-            ui_value if ui_value is not None else self.default_value
-        )
-        return [self.options[i] for i in current_value]
-
-
-class _SingleSelectSerde(Generic[T]):
-    """Only meant to be used internally for the button_group element.
-
-    Uses the ButtonGroup's _MultiSelectSerde under-the-hood, but accepts a single
-    index value and deserializes to a single index value.
-    This is because button_group can be single and multi select, but we use the same
-    proto for both and, thus, map single values to a list of values and a receiving
-    value wrapped in a list to a single value.
-
-    When a default_value is provided is provided, the option corresponding to the
-    index is serialized/deserialized.
-    """
+    formatted_options: list[str]
+    formatted_option_to_option_index: dict[str, int]
+    default_option_index: int | None
+    format_func: Callable[[Any], str]
 
     def __init__(
         self,
-        option_indices: Sequence[T],
-        default_value: list[int] | None = None,
+        options: Sequence[T],
+        *,
+        formatted_options: list[str],
+        formatted_option_to_option_index: dict[str, int],
+        default_option_index: int | None = None,
+        format_func: Callable[[Any], str] = str,
     ) -> None:
-        # see docstring about why we use MultiSelectSerde here
-        self.multiselect_serde: _MultiSelectSerde[T] = _MultiSelectSerde(
-            option_indices, default_value if default_value is not None else []
-        )
-
-    def serialize(self, value: T | None) -> list[int]:
-        _value = [value] if value is not None else []
-        return self.multiselect_serde.serialize(_value)
+        self.options = options
+        self.formatted_options = formatted_options
+        self.formatted_option_to_option_index = formatted_option_to_option_index
+        self.default_option_index = default_option_index
+        self.format_func = format_func
+
+    def serialize(self, v: T | str | None) -> list[str]:
+        """Serialize single-select value to a list of strings for wire format."""
+        if v is None:
+            return []
+        if len(self.options) == 0:
+            return []
+
+        # First, try to find the option by value in the options list
+        for index, opt in enumerate(self.options):
+            if opt == v:
+                return [self.formatted_options[index]]
+
+        # If not found by direct comparison, try by formatted string
+        try:
+            formatted_value = self.format_func(v)
+        except Exception:
+            return [str(v)]
+
+        return [formatted_value]
+
+    def deserialize(self, ui_value: list[str] | None) -> T | str | None:
+        """Deserialize from a list of strings to a single value."""
+        if len(self.options) == 0:
+            return None
 
-    def deserialize(self, ui_value: list[int] | None) -> T | None:
-        deserialized = self.multiselect_serde.deserialize(ui_value)
+        # None means initial state - use default if available
+        if ui_value is None:
+            if self.default_option_index is not None:
+                return self.options[self.default_option_index]
+            return None
 
-        if len(deserialized) == 0:
+        # Empty list means explicit deselection by user - return None
+        if len(ui_value) == 0:
             return None
 
-        return deserialized[0]
+        string_value = ui_value[0]
+
+        # Look up the option index by formatted string
+        option_index = self.formatted_option_to_option_index.get(string_value)
+        if option_index is not None:
+            return self.options[option_index]
 
+        # Value not found in options - return as-is
+        return string_value
 
-class ButtonGroupSerde(Generic[T]):
-    """A serde that can handle both single and multi select options.
 
-    It uses the same proto to wire the data, so that we can send and receive
-    single values via a list. We have different serdes for both cases though so
-    that when setting / getting the value via session_state, it is mapped correctly.
-    So for single select, the value will be a single value and for multi select, it will
-    be a list of values.
+class _MultiSelectButtonGroupSerde(Generic[T]):
+    """String-based serde for multi-select ButtonGroup widgets.
+
+    Uses string-based values (formatted option strings) for robust handling
+    of dynamic option changes.
     """
 
+    options: Sequence[T]
+    formatted_options: list[str]
+    formatted_option_to_option_index: dict[str, int]
+    default_option_indices: list[int]
+    format_func: Callable[[Any], str]
+
     def __init__(
         self,
         options: Sequence[T],
-        default_values: list[int],
-        type: Literal["single", "multi"],
+        *,
+        formatted_options: list[str],
+        formatted_option_to_option_index: dict[str, int],
+        default_option_indices: list[int] | None = None,
+        format_func: Callable[[Any], str] = str,
     ) -> None:
         self.options = options
-        self.default_values = default_values
-        self.type = type
-        self.serde: _SingleSelectSerde[T] | _MultiSelectSerde[T] = (
-            _SingleSelectSerde(options, default_value=default_values)
-            if type == "single"
-            else _MultiSelectSerde(options, default_values)
-        )
-
-    def serialize(self, value: T | list[T] | None) -> list[int]:
-        return self.serde.serialize(cast("Any", value))
-
-    def deserialize(self, ui_value: list[int] | None) -> list[T] | T | None:
-        return self.serde.deserialize(ui_value)
+        self.formatted_options = formatted_options
+        self.formatted_option_to_option_index = formatted_option_to_option_index
+        self.default_option_indices = default_option_indices or []
+        self.format_func = format_func
+
+    def serialize(self, value: list[T | str] | list[T] | None) -> list[str]:
+        """Serialize multi-select values to list of strings for wire format."""
+        if value is None:
+            return []
+        converted_value = convert_anything_to_list(value)
+        values: list[str] = []
+        for v in converted_value:
+            # First, try to find the option by value in the options list
+            found = False
+            for index, opt in enumerate(self.options):
+                if opt == v:
+                    values.append(self.formatted_options[index])
+                    found = True
+                    break
+
+            if found:
+                continue
+
+            # If not found by direct comparison, try by formatted string
+            try:
+                formatted_value = self.format_func(v)
+            except Exception:
+                values.append(str(v))
+                continue
+
+            values.append(formatted_value)
+        return values
+
+    def deserialize(self, ui_value: list[str] | None) -> list[T | str] | list[T]:
+        """Deserialize from list of strings to list of values."""
+        if ui_value is None:
+            return [self.options[i] for i in self.default_option_indices]
+
+        values: list[T | str] = []
+        for v in ui_value:
+            option_index = self.formatted_option_to_option_index.get(v)
+            if option_index is not None:
+                values.append(self.options[option_index])
+            else:
+                # Value not found in options - append as-is
+                values.append(v)
+        return values
 
 
 def _build_proto(
@@ -695,11 +752,14 @@ class ButtonGroupMixin:
     ) -> list[V] | V | None:
         maybe_raise_label_warnings(label, label_visibility)
 
+        # Use str as default format_func
+        actual_format_func: Callable[[Any], str] = format_func or str
+
         def _transformed_format_func(option: V) -> ButtonGroupProto.Option:
             """If option starts with a material icon or an emoji, we extract it to send
             it parsed to the frontend.
             """
-            transformed = format_func(option) if format_func else str(option)
+            transformed = actual_format_func(option)
             transformed_parts = transformed.split(" ")
             icon: str | None = None
             if len(transformed_parts) > 0:
@@ -725,11 +785,42 @@ class ButtonGroupMixin:
         indexable_options = convert_to_sequence_and_check_comparable(options)
         default_values = get_default_indices(indexable_options, default)
 
-        serde: ButtonGroupSerde[V] = ButtonGroupSerde[V](
-            indexable_options, default_values, selection_mode
-        )
+        # Create string-based mappings for the serde
+        formatted_options: list[str] = []
+        formatted_option_to_option_index: dict[str, int] = {}
+        for index, option in enumerate(indexable_options):
+            formatted = actual_format_func(option)
+            formatted_options.append(formatted)
+            # If formatted labels are duplicated, the last one wins. We keep this
+            # behavior to mirror radio/selectbox/multiselect.
+            formatted_option_to_option_index[formatted] = index
+
+        # Create appropriate serde based on selection mode
+        serializer: WidgetSerializer[Any]
+        deserializer: WidgetDeserializer[Any]
+        if selection_mode == "multi":
+            multi_serde = _MultiSelectButtonGroupSerde[V](
+                indexable_options,
+                formatted_options=formatted_options,
+                formatted_option_to_option_index=formatted_option_to_option_index,
+                default_option_indices=default_values,
+                format_func=actual_format_func,
+            )
+            serializer = multi_serde.serialize
+            deserializer = multi_serde.deserialize
+        else:
+            single_serde = _SingleSelectButtonGroupSerde[V](
+                indexable_options,
+                formatted_options=formatted_options,
+                formatted_option_to_option_index=formatted_option_to_option_index,
+                default_option_index=default_values[0] if default_values else None,
+                format_func=actual_format_func,
+            )
+            serializer = single_serde.serialize
+            deserializer = single_serde.deserialize
 
-        res = self._button_group(
+        # Single call to _button_group with the appropriate serde
+        result: RegisterWidgetResult[Any] = self._button_group(
             indexable_options,
             default=default_values,
             selection_mode=selection_mode,
@@ -738,20 +829,28 @@ class ButtonGroupMixin:
             key=key,
             help=help,
             style=style,
-            serializer=serde.serialize,
-            deserializer=serde.deserialize,
+            serializer=serializer,
+            deserializer=deserializer,
             on_change=on_change,
             args=args,
             kwargs=kwargs,
             label=label,
             label_visibility=label_visibility,
             width=width,
+            options_format_func=actual_format_func,
         )
 
+        # Handle return type based on selection mode
         if selection_mode == "multi":
-            return res.value
+            multi_res = cast("RegisterWidgetResult[list[V] | list[V | str]]", result)
+            multi_res = maybe_coerce_enum_sequence(
+                multi_res, options, indexable_options
+            )
+            return cast("list[V]", multi_res.value)
 
-        return res.value
+        single_res = cast("RegisterWidgetResult[V | str | None]", result)
+        single_res = maybe_coerce_enum(single_res, options, indexable_options)
+        return cast("V | None", single_res.value)
 
     def _button_group(
         self,
@@ -772,6 +871,7 @@ class ButtonGroupMixin:
         label_visibility: LabelVisibility = "visible",
         help: str | None = None,
         width: Width = "content",
+        options_format_func: Callable[[Any], str] | None = None,
     ) -> RegisterWidgetResult[T]:
         _maybe_raise_selection_mode_warning(selection_mode)
 
@@ -826,10 +926,7 @@ class ButtonGroupMixin:
         element_id = compute_and_register_element_id(
             style,
             user_key=key,
-            # Treat the provided key as the main identity for segmented_control and pills,
-            # and only include kwargs that can invalidate the current selection.
-            # We whitelist the formatted options and the click mode (single vs multi).
-            key_as_main_identity={"options", "click_mode"},
+            key_as_main_identity={"click_mode"},
             dg=self.dg,
             options=formatted_options,
             default=default,
@@ -861,11 +958,40 @@ class ButtonGroupMixin:
             deserializer=deserializer,
             serializer=serializer,
             ctx=ctx,
-            value_type="int_array_value",
+            value_type="string_array_value",
         )
 
-        if widget_state.value_changed:
-            proto.value[:] = serializer(widget_state.value)
+        # Validate and sync value with options for pills/segmented_control
+        value_needs_reset = False
+        current_value: T | list[T] | list[T | str] | None = widget_state.value
+        if options_format_func is not None:
+            if selection_mode == "single":
+                # Single select: validate and possibly reset to default
+                default_index = default[0] if default else None
+                current_value, value_needs_reset = validate_and_sync_value_with_options(
+                    cast("T | None", widget_state.value),
+                    indexable_options,
+                    default_index,
+                    key,
+                    options_format_func,
+                )
+            else:
+                # Multi select: filter out invalid values
+                current_value, value_needs_reset = (
+                    validate_and_sync_multiselect_value_with_options(
+                        cast("list[T] | list[T | str]", widget_state.value),
+                        indexable_options,
+                        key,
+                        options_format_func,
+                    )
+                )
+
+        if value_needs_reset or widget_state.value_changed:
+            # Always use string-based raw_values field
+            value_for_serialization = (
+                current_value if value_needs_reset else widget_state.value
+            )
+            proto.raw_values[:] = serializer(cast("T", value_for_serialization))
             proto.set_value = True
 
         if ctx:
@@ -873,6 +999,15 @@ class ButtonGroupMixin:
 
         self.dg._enqueue("button_group", proto, layout_config=layout_config)
 
+        # Return widget_state with possibly updated value
+        if value_needs_reset:
+            from streamlit.runtime.state.common import RegisterWidgetResult
+
+            return RegisterWidgetResult(
+                cast("T", current_value),
+                widget_state.value_changed or value_needs_reset,
+            )
+
         return widget_state
 
     @property

streamlit/elements/widgets/data_editor.py

@@ -63,7 +63,7 @@ from streamlit.elements.lib.pandas_styler_utils import marshall_styler
 from streamlit.elements.lib.policies import check_widget_policies
 from streamlit.elements.lib.utils import Key, compute_and_register_element_id, to_key
 from streamlit.errors import StreamlitAPIException
-from streamlit.proto.Arrow_pb2 import Arrow as ArrowProto
+from streamlit.proto.Dataframe_pb2 import Dataframe as DataframeProto
 from streamlit.runtime.metrics_util import gather_metrics
 from streamlit.runtime.scriptrunner_utils.script_run_context import get_script_run_ctx
 from streamlit.runtime.state import (
@@ -1093,7 +1093,7 @@ class DataEditorMixin:
             placeholder=placeholder,
         )
 
-        proto = ArrowProto()
+        proto = DataframeProto()
         proto.id = element_id
 
         if row_height:
@@ -1110,13 +1110,13 @@ class DataEditorMixin:
         proto.disabled = disabled is True
 
         if num_rows == "dynamic":
-            proto.editing_mode = ArrowProto.EditingMode.DYNAMIC
+            proto.editing_mode = DataframeProto.EditingMode.DYNAMIC
         elif num_rows == "add":
-            proto.editing_mode = ArrowProto.EditingMode.ADD_ONLY
+            proto.editing_mode = DataframeProto.EditingMode.ADD_ONLY
         elif num_rows == "delete":
-            proto.editing_mode = ArrowProto.EditingMode.DELETE_ONLY
+            proto.editing_mode = DataframeProto.EditingMode.DELETE_ONLY
         else:
-            proto.editing_mode = ArrowProto.EditingMode.FIXED
+            proto.editing_mode = DataframeProto.EditingMode.FIXED
 
         proto.form_id = current_form_id(self.dg)
 
@@ -1132,9 +1132,9 @@ class DataEditorMixin:
             # rendering in the data editor.
             styler_uuid = calc_md5(key or self.dg._get_delta_path_str())[:10]
             data.set_uuid(styler_uuid)  # ty: ignore[call-non-callable, possibly-missing-attribute]
-            marshall_styler(proto, data, styler_uuid)
+            marshall_styler(proto.arrow_data, data, styler_uuid)
 
-        proto.data = arrow_bytes
+        proto.arrow_data.data = arrow_bytes
 
         marshall_column_config(proto, column_config_mapping)
 
@@ -1159,7 +1159,7 @@ class DataEditorMixin:
         )
 
         _apply_dataframe_edits(data_df, widget_state.value, dataframe_schema)
-        self.dg._enqueue("arrow_data_frame", proto, layout_config=layout_config)
+        self.dg._enqueue("dataframe", proto, layout_config=layout_config)
         return dataframe_util.convert_pandas_df_to_data_format(data_df, data_format)
 
     @property

streamlit/elements/widgets/radio.py

@@ -108,13 +108,17 @@ class RadioSerde(Generic[T]):
             formatted_value = self.format_func(v)
         except Exception:
             # format_func failed (e.g., v is a string but format_func expects
-            # an object with specific attributes). Treat v as a raw string.
-            return cast("str", v)
+            # an object with specific attributes). Use str(v) to ensure we return
+            # a proper string, not the original object. This handles both cases:
+            # - v is already a string -> str(v) returns it unchanged
+            # - v is a custom object -> str(v) gives its string representation
+            return str(v)
 
         if formatted_value in self.formatted_option_to_option_index:
             return formatted_value
-        # Value not found in options - return as raw string
-        return cast("str", v)
+        # Value not found in options - return the formatted string (not the original
+        # object) to maintain type consistency since serialize() must return str|None
+        return formatted_value
 
     def deserialize(self, ui_value: str | None) -> T | str | None:
         # If no options, there's no valid value - return None

streamlit/hello/dataframe_demo.py

@@ -26,7 +26,7 @@ def data_frame_demo() -> None:
     def get_un_data() -> pd.DataFrame:
         aws_bucket_url = "https://streamlit-demo-data.s3-us-west-2.amazonaws.com"
         df = pd.read_csv(aws_bucket_url + "/agri.csv.gz")
-        return df.set_index("Region")
+        return df.set_index("Region")  # type: ignore[no-any-return, unused-ignore]
 
     try:
         df = get_un_data()

streamlit/path_security.py

@@ -0,0 +1,98 @@
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2026)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Shared path security utilities for preventing path traversal and SSRF attacks.
+
+This module provides a centralized implementation for path validation that is
+used by multiple parts of the codebase. Having a single implementation ensures
+consistent security checks and avoids divergent behavior between components.
+
+Security Context
+----------------
+These checks are designed to run BEFORE any filesystem operations (like
+``os.path.realpath()``) to prevent Windows from triggering SMB connections
+to attacker-controlled servers when resolving UNC paths. This prevents
+SSRF attacks and NTLM hash disclosure.
+"""
+
+from __future__ import annotations
+
+import os
+import string
+
+
+def is_unsafe_path_pattern(path: str) -> bool:
+    r"""Return True if path contains UNC, absolute, drive, or traversal patterns.
+
+    This function checks for dangerous path patterns that could lead to:
+    - SSRF attacks via Windows UNC path resolution
+    - NTLM hash disclosure via SMB connections
+    - Path traversal outside intended directories
+    - Path truncation via null bytes
+
+    IMPORTANT: This check must run BEFORE any ``os.path.realpath()`` calls
+    to prevent Windows from triggering SMB connections to attacker-controlled
+    servers.
+
+    Parameters
+    ----------
+    path : str
+        The path string to validate.
+
+    Returns
+    -------
+    bool
+        True if the path contains unsafe patterns, False if it appears safe
+        for further processing.
+
+    Examples
+    --------
+    >>> is_unsafe_path_pattern("subdir/file.js")
+    False
+    >>> is_unsafe_path_pattern("\\\\server\\share")
+    True
+    >>> is_unsafe_path_pattern("../../../etc/passwd")
+    True
+    >>> is_unsafe_path_pattern("C:\\Windows\\system32")
+    True
+    """
+    # Null bytes can be used for path truncation attacks
+    if "\x00" in path:
+        return True
+
+    # UNC paths (Windows network shares, including \\?\ and \\.\ prefixes)
+    if path.startswith(("\\\\", "//")):
+        return True
+
+    # Windows drive paths (e.g. C:\, D:foo) - on Windows, os.path.realpath() on a
+    # drive path can trigger SMB connections if the drive is mapped to a network share.
+    # This enables SSRF attacks and NTLM hash disclosure. We reject all drive-qualified
+    # paths including drive-relative paths like "C:foo" which resolve against the current
+    # directory of that drive. Checked on all platforms for defense-in-depth and
+    # testability (CI runs on Linux).
+    if len(path) >= 2 and path[0] in string.ascii_letters and path[1] == ":":
+        return True
+
+    # Rooted backslash or forward slash (absolute paths)
+    if path.startswith(("\\", "/")):
+        return True
+
+    # Also check os.path.isabs for platform-specific absolute path detection
+    if os.path.isabs(path):
+        return True
+
+    # Path traversal - check segments after normalizing separators
+    normalized = path.replace("\\", "/")
+    segments = [seg for seg in normalized.split("/") if seg]
+    return ".." in segments

streamlit/proto/ArrowData_pb2.py

@@ -14,13 +14,15 @@ _sym_db = _symbol_database.Default()
 
 
 
-DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x1fstreamlit/proto/ArrowData.proto\"\x19\n\tArrowData\x12\x0c\n\x04\x64\x61ta\x18\x01 \x01(\x0c\x62\x06proto3')
+DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x1fstreamlit/proto/ArrowData.proto\"\x99\x01\n\tArrowData\x12\x0c\n\x04\x64\x61ta\x18\x01 \x01(\x0c\x12\'\n\x06styler\x18\x02 \x01(\x0b\x32\x17.ArrowData.PandasStyler\x1aU\n\x0cPandasStyler\x12\x0c\n\x04uuid\x18\x01 \x01(\t\x12\x0f\n\x07\x63\x61ption\x18\x02 \x01(\t\x12\x0e\n\x06styles\x18\x03 \x01(\t\x12\x16\n\x0e\x64isplay_values\x18\x04 \x01(\x0c\x62\x06proto3')
 
 _globals = globals()
 _builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, _globals)
 _builder.BuildTopDescriptorsAndMessages(DESCRIPTOR, 'streamlit.proto.ArrowData_pb2', _globals)
 if not _descriptor._USE_C_DESCRIPTORS:
   DESCRIPTOR._loaded_options = None
-  _globals['_ARROWDATA']._serialized_start=35
-  _globals['_ARROWDATA']._serialized_end=60
+  _globals['_ARROWDATA']._serialized_start=36
+  _globals['_ARROWDATA']._serialized_end=189
+  _globals['_ARROWDATA_PANDASSTYLER']._serialized_start=104
+  _globals['_ARROWDATA_PANDASSTYLER']._serialized_end=189
 # @@protoc_insertion_point(module_scope)