streamlit 1.50.0__py3-none-any.whl → 1.51.0__py3-none-any.whl

streamlit/web/server/bidi_component_request_handler.py

@@ -0,0 +1,193 @@
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Serve static assets for Custom Components v2.
+
+This module defines a Tornado ``RequestHandler`` that serves static files for
+Custom Components v2 from their registered component directories. Requests are
+resolved safely within the component's root to avoid directory traversal and are
+served with appropriate content type and cache headers. CORS headers are applied
+based on the server configuration.
+"""
+
+from __future__ import annotations
+
+import os
+from typing import TYPE_CHECKING, Final, cast
+
+import tornado.web
+
+import streamlit.web.server.routes
+from streamlit.logger import get_logger
+from streamlit.web.server.component_file_utils import (
+    build_safe_abspath,
+    guess_content_type,
+)
+
+if TYPE_CHECKING:
+    from streamlit.components.v2.component_manager import BidiComponentManager
+
+_LOGGER: Final = get_logger(__name__)
+
+
+class BidiComponentRequestHandler(tornado.web.RequestHandler):
+    """Request handler for serving Custom Components v2 static assets.
+
+    The handler resolves a requested path to a registered component's asset
+    within its component root, writes the file contents to the response, and
+    sets appropriate ``Content-Type`` and cache headers. If the component or
+    asset cannot be found, a suitable HTTP status is returned.
+    """
+
+    def initialize(self, component_manager: BidiComponentManager) -> None:
+        """Initialize the handler with the given component manager.
+
+        Parameters
+        ----------
+        component_manager : BidiComponentManager
+            Manager used to look up registered components and their root paths.
+        """
+        self._component_manager = component_manager
+
+    def get(self, path: str) -> None:
+        """Serve a component asset for the given URL path.
+
+        The first path segment is interpreted as the component name. The rest
+        of the path is resolved to a file within that component's root
+        directory. If the file exists and is readable, its bytes are written to
+        the response and the ``Content-Type`` header is set based on the file
+        type.
+
+        Parameters
+        ----------
+        path : str
+            Request path in the form ``"<component_name>/<relative_file>"``.
+
+        Notes
+        -----
+        This method writes directly to the response and sets appropriate HTTP
+        status codes on error (``404`` for missing components/files, ``403`` for
+        forbidden paths).
+        """
+        parts = path.split("/")
+        component_name = parts[0]
+        component_def = self._component_manager.get(component_name)
+        if component_def is None:
+            self.write("not found")
+            self.set_status(404)
+            return
+
+        # Get the component path from the component manager
+        component_path = self._component_manager.get_component_path(component_name)
+        if component_path is None:
+            self.write("not found")
+            self.set_status(404)
+            return
+
+        # Build a safe absolute path within the component root
+        filename = "/".join(parts[1:])
+        # If no file segment is provided (e.g. only component name or trailing slash),
+        # treat as not found rather than attempting to open a directory.
+        if not filename or filename.endswith("/"):
+            self.write("not found")
+            self.set_status(404)
+            return
+        abspath = build_safe_abspath(component_path, filename)
+        if abspath is None:
+            self.write("forbidden")
+            self.set_status(403)
+            return
+
+        # If the resolved path is a directory, return 404 not found.
+        if os.path.isdir(abspath):
+            self.write("not found")
+            self.set_status(404)
+            return
+
+        try:
+            with open(abspath, "rb") as file:
+                contents = file.read()
+        except OSError:
+            sanitized_abspath = abspath.replace("\n", "").replace("\r", "")
+            _LOGGER.exception(
+                "BidiComponentRequestHandler: GET %s read error", sanitized_abspath
+            )
+            self.write("read error")
+            self.set_status(404)
+            return
+
+        self.write(contents)
+        self.set_header("Content-Type", guess_content_type(abspath))
+
+        self.set_extra_headers(path)
+
+    def set_extra_headers(self, path: str) -> None:
+        """Disable cache for HTML files.
+
+        We assume other assets like JS and CSS are suffixed with their hash, so
+        they can be cached indefinitely.
+        """
+        if path.endswith(".html"):
+            self.set_header("Cache-Control", "no-cache")
+        else:
+            self.set_header("Cache-Control", "public")
+
+    def set_default_headers(self) -> None:
+        """Set default CORS headers based on server configuration.
+
+        If cross-origin requests are fully allowed, ``Access-Control-Allow-
+        Origin`` is set to ``"*"``. Otherwise, if the request ``Origin`` header
+        is an allowed origin, the header is echoed back.
+        """
+        if streamlit.web.server.routes.allow_all_cross_origin_requests():
+            self.set_header("Access-Control-Allow-Origin", "*")
+        elif streamlit.web.server.routes.is_allowed_origin(
+            origin := self.request.headers.get("Origin")
+        ):
+            self.set_header("Access-Control-Allow-Origin", cast("str", origin))
+
+    def options(self) -> None:
+        """Handle preflight CORS requests.
+
+        Returns
+        -------
+        None
+            Responds with HTTP ``204 No Content`` to indicate that the actual
+            request can proceed.
+        """
+        self.set_status(204)
+        self.finish()
+
+    @staticmethod
+    def get_url(file_id: str) -> str:
+        """Return the URL for a component asset identified by ``file_id``.
+
+        Parameters
+        ----------
+        file_id : str
+            Component file identifier (typically a relative path or hashed
+            filename).
+
+        Returns
+        -------
+        str
+            Relative URL path for the resource, to be joined with the server
+            base URL.
+
+        Examples
+        --------
+        >>> BidiComponentRequestHandler.get_url("my_component/main.js")
+        '_stcore/bidi-components/my_component/main.js'
+        """
+        return f"_stcore/bidi-components/{file_id}"

streamlit/web/server/component_file_utils.py

@@ -0,0 +1,97 @@
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+"""Utilities for safely resolving component asset paths and content types.
+
+These helpers are used by server handlers to construct safe absolute paths for
+component files and to determine the appropriate ``Content-Type`` header for
+responses. Path resolution prevents directory traversal by normalizing and
+checking real paths against a component's root directory.
+"""
+
+from __future__ import annotations
+
+import mimetypes
+import os
+from typing import Final
+
+_OCTET_STREAM: Final[str] = "application/octet-stream"
+
+
+def build_safe_abspath(component_root: str, relative_url_path: str) -> str | None:
+    """Build an absolute path inside ``component_root`` if safe.
+
+    The function joins ``relative_url_path`` with ``component_root`` and
+    normalizes and resolves symlinks. If the resulting path escapes the
+    component root, ``None`` is returned to indicate a forbidden traversal.
+
+    Parameters
+    ----------
+    component_root : str
+        Absolute path to the component's root directory.
+    relative_url_path : str
+        Relative URL path from the component root to the requested file.
+
+    Returns
+    -------
+    str or None
+        The resolved absolute path if it stays within ``component_root``;
+        otherwise ``None`` when the path would traverse outside the root.
+    """
+    root_real = os.path.realpath(component_root)
+    candidate = os.path.normpath(os.path.join(root_real, relative_url_path))
+    candidate_real = os.path.realpath(candidate)
+
+    try:
+        # Ensure the candidate stays within the real component root
+        if os.path.commonpath([root_real, candidate_real]) != root_real:
+            return None
+    except ValueError:
+        # On some platforms, commonpath can raise if drives differ; treat as forbidden.
+        return None
+
+    return candidate_real
+
+
+def guess_content_type(abspath: str) -> str:
+    """Guess the HTTP ``Content-Type`` for a file path.
+
+    This logic mirrors Tornado's ``StaticFileHandler`` by respecting encoding
+    metadata from ``mimetypes.guess_type`` and falling back to
+    ``application/octet-stream`` when no specific type can be determined.
+
+    Parameters
+    ----------
+    abspath : str
+        Absolute file path used for type detection (only the suffix matters).
+
+    Returns
+    -------
+    str
+        Guessed content type string suitable for the ``Content-Type`` header.
+    """
+    mime_type, encoding = mimetypes.guess_type(abspath)
+    # per RFC 6713, use the appropriate type for a gzip compressed file
+    if encoding == "gzip":
+        return "application/gzip"
+    # As of 2015-07-21 there is no bzip2 encoding defined at
+    # http://www.iana.org/assignments/media-types/media-types.xhtml
+    # So for that (and any other encoding), use octet-stream.
+    if encoding is not None:
+        return _OCTET_STREAM
+    if mime_type is not None:
+        return mime_type
+    # if mime_type not detected, use application/octet-stream
+    return _OCTET_STREAM

streamlit/web/server/component_request_handler.py

@@ -14,14 +14,16 @@
 
 from __future__ import annotations
 
-import mimetypes
-import os
 from typing import TYPE_CHECKING, Final, cast
 
 import tornado.web
 
 import streamlit.web.server.routes
 from streamlit.logger import get_logger
+from streamlit.web.server.component_file_utils import (
+    build_safe_abspath,
+    guess_content_type,
+)
 
 if TYPE_CHECKING:
     from streamlit.components.types.base_component_registry import BaseComponentRegistry
@@ -42,13 +44,10 @@ class ComponentRequestHandler(tornado.web.RequestHandler):
             self.set_status(404)
             return
 
-        # follow symlinks to get an accurate normalized path
-        component_root = os.path.realpath(component_root)
+        # Build a safe absolute path within the component root
         filename = "/".join(parts[1:])
-        abspath = os.path.normpath(os.path.join(component_root, filename))
-
-        # Do NOT expose anything outside of the component root.
-        if os.path.commonpath([component_root, abspath]) != component_root:
+        abspath = build_safe_abspath(component_root, filename)
+        if abspath is None:
             self.write("forbidden")
             self.set_status(403)
             return
@@ -100,19 +99,7 @@ class ComponentRequestHandler(tornado.web.RequestHandler):
         """Returns the ``Content-Type`` header to be used for this request.
         From tornado.web.StaticFileHandler.
         """
-        mime_type, encoding = mimetypes.guess_type(abspath)
-        # per RFC 6713, use the appropriate type for a gzip compressed file
-        if encoding == "gzip":
-            return "application/gzip"
-        # As of 2015-07-21 there is no bzip2 encoding defined at
-        # http://www.iana.org/assignments/media-types/media-types.xhtml
-        # So for that (and any other encoding), use octet-stream.
-        if encoding is not None:
-            return "application/octet-stream"
-        if mime_type is not None:
-            return mime_type
-        # if mime_type not detected, use application/octet-stream
-        return "application/octet-stream"
+        return guess_content_type(abspath)
 
     @staticmethod
     def get_url(file_id: str) -> str:

streamlit/web/server/oidc_mixin.py

@@ -16,7 +16,7 @@
 
 from __future__ import annotations
 
-from typing import TYPE_CHECKING, Any, Callable, cast
+from typing import TYPE_CHECKING, Any, cast
 
 from authlib.integrations.base_client import (
     BaseApp,
@@ -32,6 +32,8 @@ from authlib.integrations.requests_client import (
 from streamlit.web.server.authlib_tornado_integration import TornadoIntegration
 
 if TYPE_CHECKING:
+    from collections.abc import Callable
+
     import tornado.web
 
     from streamlit.auth_util import AuthCache

streamlit/web/server/routes.py

@@ -16,7 +16,7 @@ from __future__ import annotations
 
 import os
 import re
-from typing import TYPE_CHECKING, Any, Callable, Final, cast
+from typing import TYPE_CHECKING, Any, Final, cast
 
 import tornado.web
 
@@ -28,7 +28,7 @@ from streamlit.web.server.server_util import (
 )
 
 if TYPE_CHECKING:
-    from collections.abc import Awaitable, Sequence
+    from collections.abc import Awaitable, Callable, Sequence
 
 
 # Files that match this pattern do not get cached.

streamlit/web/server/server.py

@@ -38,6 +38,9 @@ from streamlit.web.cache_storage_manager_config import (
     create_default_cache_storage_manager,
 )
 from streamlit.web.server.app_static_file_handler import AppStaticFileHandler
+from streamlit.web.server.bidi_component_request_handler import (
+    BidiComponentRequestHandler,
+)
 from streamlit.web.server.browser_websocket_handler import BrowserWebSocketHandler
 from streamlit.web.server.component_request_handler import ComponentRequestHandler
 from streamlit.web.server.media_file_handler import MediaFileHandler
@@ -133,6 +136,7 @@ UNIX_SOCKET_PREFIX: Final = "unix://"
 # as the endpoints in frontend/connection/src/DefaultStreamlitEndpoints
 MEDIA_ENDPOINT: Final = "/media"
 COMPONENT_ENDPOINT: Final = "/component"
+BIDI_COMPONENT_ENDPOINT: Final = "/_stcore/bidi-components"
 STATIC_SERVING_ENDPOINT: Final = "/app/static"
 UPLOAD_FILE_ENDPOINT: Final = "/_stcore/upload_file"
 STREAM_ENDPOINT: Final = r"_stcore/stream"
@@ -395,6 +399,11 @@ class Server:
                 ComponentRequestHandler,
                 {"registry": self._runtime.component_registry},
             ),
+            (
+                make_url_path_regex(base, f"{BIDI_COMPONENT_ENDPOINT}/(.*)"),
+                BidiComponentRequestHandler,
+                {"component_manager": self._runtime.bidi_component_registry},
+            ),
         ]
 
         if config.get_option("server.scriptHealthCheckEnabled"):

streamlit/web/server/server_util.py

@@ -16,7 +16,7 @@
 
 from __future__ import annotations
 
-from typing import TYPE_CHECKING, Callable, Final, Literal, cast
+from typing import TYPE_CHECKING, Final, Literal, cast
 from urllib.parse import urljoin
 
 from streamlit import config, net_util, url_util
@@ -24,6 +24,8 @@ from streamlit.runtime.secrets import secrets_singleton
 from streamlit.type_util import is_version_less_than
 
 if TYPE_CHECKING:
+    from collections.abc import Callable
+
     from tornado.web import RequestHandler
 
 # The port used for internal development.

streamlit/web/server/upload_file_request_handler.py

@@ -14,7 +14,7 @@
 
 from __future__ import annotations
 
-from typing import TYPE_CHECKING, Any, Callable, cast
+from typing import TYPE_CHECKING, Any, cast
 
 import tornado.httputil
 import tornado.web
@@ -25,6 +25,8 @@ from streamlit.web.server import routes, server_util
 from streamlit.web.server.server_util import is_xsrf_enabled
 
 if TYPE_CHECKING:
+    from collections.abc import Callable
+
     from streamlit.runtime.memory_uploaded_file_manager import MemoryUploadedFileManager
 
 

{streamlit-1.50.0.dist-info → streamlit-1.51.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: streamlit
-Version: 1.50.0
+Version: 1.51.0
 Summary: A faster way to build and share data apps
 Home-page: https://streamlit.io
 Author: Snowflake Inc
@@ -18,7 +18,6 @@ Classifier: Environment :: Web Environment
 Classifier: Intended Audience :: Developers
 Classifier: Intended Audience :: Science/Research
 Classifier: License :: OSI Approved :: Apache Software License
-Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
@@ -29,7 +28,7 @@ Classifier: Topic :: Scientific/Engineering :: Information Analysis
 Classifier: Topic :: Scientific/Engineering :: Visualization
 Classifier: Topic :: Software Development :: Libraries :: Application Frameworks
 Classifier: Topic :: Software Development :: Widget Sets
-Requires-Python: >=3.9, !=3.9.7
+Requires-Python: >=3.10
 Description-Content-Type: text/markdown
 Requires-Dist: altair!=5.4.0,!=5.4.1,<6,>=4.0
 Requires-Dist: blinker<2,>=1.5.0
@@ -38,9 +37,9 @@ Requires-Dist: click<9,>=7.0
 Requires-Dist: numpy<3,>=1.23
 Requires-Dist: packaging<26,>=20
 Requires-Dist: pandas<3,>=1.4.0
-Requires-Dist: pillow<12,>=7.1.0
+Requires-Dist: pillow<13,>=7.1.0
 Requires-Dist: protobuf<7,>=3.20
-Requires-Dist: pyarrow>=7.0
+Requires-Dist: pyarrow<22,>=7.0
 Requires-Dist: requests<3,>=2.27
 Requires-Dist: tenacity<10,>=8.1.0
 Requires-Dist: toml<2,>=0.10.1