streamlit 1.53.1__py3-none-any.whl → 1.54.0__py3-none-any.whl

streamlit/web/server/app_static_file_handler.py

@@ -21,6 +21,7 @@ from typing import Final
 import tornado.web
 
 from streamlit.logger import get_logger
+from streamlit.path_security import is_unsafe_path_pattern
 
 _LOGGER: Final = get_logger(__name__)
 
@@ -53,6 +54,14 @@ class AppStaticFileHandler(tornado.web.StaticFileHandler):
     def initialize(self, path: str, default_filename: str | None = None) -> None:
         super().initialize(path, default_filename)
 
+    @classmethod
+    def get_absolute_path(cls, root: str, path: str) -> str:
+        # SECURITY: Validate path pattern BEFORE any filesystem operations.
+        # See is_unsafe_path_pattern() docstring for details.
+        if is_unsafe_path_pattern(path):
+            raise tornado.web.HTTPError(400, "Bad Request")
+        return super().get_absolute_path(root, path)
+
     def validate_absolute_path(self, root: str, absolute_path: str) -> str | None:
         full_path = os.path.abspath(absolute_path)
 

streamlit/web/server/bidi_component_request_handler.py

@@ -77,8 +77,8 @@ class BidiComponentRequestHandler(tornado.web.RequestHandler):
         Notes
         -----
         This method writes directly to the response and sets appropriate HTTP
-        status codes on error (``404`` for missing components/files, ``403`` for
-        forbidden paths).
+        status codes on error (``404`` for missing components/files, ``400`` for
+        unsafe paths).
         """
         parts = path.split("/")
         component_name = parts[0]
@@ -105,8 +105,8 @@ class BidiComponentRequestHandler(tornado.web.RequestHandler):
             return
         abspath = build_safe_abspath(component_path, filename)
         if abspath is None:
-            self.write("forbidden")
-            self.set_status(403)
+            self.write("Bad Request")
+            self.set_status(400)
             return
 
         # If the resolved path is a directory, return 404 not found.

streamlit/web/server/component_file_utils.py

@@ -27,15 +27,18 @@ import mimetypes
 import os
 from typing import Final
 
+from streamlit.path_security import is_unsafe_path_pattern
+
 _OCTET_STREAM: Final[str] = "application/octet-stream"
 
 
 def build_safe_abspath(component_root: str, relative_url_path: str) -> str | None:
-    """Build an absolute path inside ``component_root`` if safe.
+    r"""Build an absolute path inside ``component_root`` if safe.
 
-    The function joins ``relative_url_path`` with ``component_root`` and
-    normalizes and resolves symlinks. If the resulting path escapes the
-    component root, ``None`` is returned to indicate a forbidden traversal.
+    The function first validates that ``relative_url_path`` does not contain
+    dangerous patterns using :func:`~streamlit.path_security.is_unsafe_path_pattern`,
+    then joins it with ``component_root`` and resolves symlinks.
+    Returns ``None`` if the path is rejected by security checks or escapes the root.
 
     Parameters
     ----------
@@ -43,13 +46,18 @@ def build_safe_abspath(component_root: str, relative_url_path: str) -> str | Non
         Absolute path to the component's root directory.
     relative_url_path : str
         Relative URL path from the component root to the requested file.
+        Must be a simple relative path without dangerous patterns.
 
     Returns
     -------
     str or None
-        The resolved absolute path if it stays within ``component_root``;
-        otherwise ``None`` when the path would traverse outside the root.
+        The resolved absolute path if it passes all validation and stays
+        within ``component_root``; otherwise ``None``.
     """
+    # See is_unsafe_path_pattern() for security details.
+    if is_unsafe_path_pattern(relative_url_path):
+        return None
+
     root_real = os.path.realpath(component_root)
     candidate = os.path.normpath(os.path.join(root_real, relative_url_path))
     candidate_real = os.path.realpath(candidate)

streamlit/web/server/component_request_handler.py

@@ -48,8 +48,8 @@ class ComponentRequestHandler(tornado.web.RequestHandler):
         filename = "/".join(parts[1:])
         abspath = build_safe_abspath(component_root, filename)
         if abspath is None:
-            self.write("forbidden")
-            self.set_status(403)
+            self.write("Bad Request")
+            self.set_status(400)
             return
         try:
             with open(abspath, "rb") as file:

streamlit/web/server/oauth_authlib_routes.py

@@ -15,18 +15,20 @@ from __future__ import annotations
 
 import json
 from typing import Any, Final, cast
-from urllib.parse import urlencode, urlparse
 
 import tornado.web
 
 from streamlit.auth_util import (
     AuthCache,
+    build_logout_url,
     clear_cookie_and_chunks,
     decode_provider_token,
     generate_default_provider_section,
     get_cookie_with_chunks,
+    get_origin_from_redirect_uri,
     get_redirect_uri,
     get_secrets_auth_section,
+    get_validated_redirect_uri,
     set_cookie_with_chunks,
 )
 from streamlit.errors import StreamlitAuthError
@@ -179,21 +181,6 @@ class AuthLogoutHandler(AuthHandlerMixin, tornado.web.RequestHandler):
         else:
             self.redirect_to_base()
 
-    def _get_redirect_uri(self) -> str | None:
-        auth_section = get_secrets_auth_section()
-        if not auth_section:
-            return None
-
-        redirect_uri = get_redirect_uri(auth_section)
-        if not redirect_uri:
-            return None
-
-        if not redirect_uri.endswith("/oauth2callback"):
-            _LOGGER.warning("Redirect URI does not end with /oauth2callback")
-            return None
-
-        return redirect_uri
-
     def _get_provider_logout_url(self) -> str | None:
         """Get the OAuth provider's logout URL from OIDC metadata."""
         cookie_value = get_cookie_with_chunks(self._get_signed_cookie, AUTH_COOKIE_NAME)
@@ -219,17 +206,13 @@ class AuthLogoutHandler(AuthHandlerMixin, tornado.web.RequestHandler):
             # Use redirect_uri (i.e. /oauth2callback) for post_logout_redirect_uri
             # This is safer than redirecting to root as some providers seem to
             # require url to be in a whitelist /oauth2callback should be whitelisted
-            redirect_uri = self._get_redirect_uri()
+            redirect_uri = get_validated_redirect_uri()
             if redirect_uri is None:
                 _LOGGER.info("Redirect url could not be determined")
                 return None
 
-            logout_params = {
-                "client_id": client.client_id,
-                "post_logout_redirect_uri": redirect_uri,
-            }
-
-            # Add id_token_hint to logout params if it is available
+            # Get id_token_hint from tokens cookie if available
+            id_token: str | None = None
             tokens_cookie_value = get_cookie_with_chunks(
                 self._get_signed_cookie, TOKENS_COOKIE_NAME
             )
@@ -237,15 +220,16 @@ class AuthLogoutHandler(AuthHandlerMixin, tornado.web.RequestHandler):
                 try:
                     tokens = json.loads(tokens_cookie_value)
                     id_token = tokens.get("id_token")
-                    if id_token:
-                        logout_params["id_token_hint"] = id_token
                 except (json.JSONDecodeError, TypeError):
-                    _LOGGER.exception(
-                        "Error, invalid tokens cookie value.",
-                    )
+                    _LOGGER.exception("Error, invalid tokens cookie value.")
                     return None
 
-            return f"{end_session_endpoint}?{urlencode(logout_params)}"
+            return build_logout_url(
+                end_session_endpoint=end_session_endpoint,
+                client_id=client.client_id,
+                post_logout_redirect_uri=redirect_uri,
+                id_token=id_token,
+            )
 
         except Exception as e:
             _LOGGER.warning("Failed to get provider logout URL: %s", e)
@@ -327,16 +311,4 @@ class AuthCallbackHandler(AuthHandlerMixin, tornado.web.RequestHandler):
         return provider
 
     def _get_origin_from_secrets(self) -> str | None:
-        redirect_uri = None
-        auth_section = get_secrets_auth_section()
-        if auth_section:
-            redirect_uri = get_redirect_uri(auth_section)
-
-        if not redirect_uri:
-            return None
-
-        redirect_uri_parsed = urlparse(redirect_uri)
-        origin_from_redirect_uri: str = (
-            redirect_uri_parsed.scheme + "://" + redirect_uri_parsed.netloc
-        )
-        return origin_from_redirect_uri
+        return get_origin_from_redirect_uri()

streamlit/web/server/server.py

@@ -263,7 +263,7 @@ def start_listening_tcp_socket(http_server: HTTPServer) -> None:
         except OSError as e:
             # EADDRINUSE: port in use by another process
             # EACCES: port reserved by system (common on Windows, see #13521)
-            if e.errno in (errno.EADDRINUSE, errno.EACCES):
+            if e.errno in {errno.EADDRINUSE, errno.EACCES}:
                 if server_port_is_manually_set():
                     _LOGGER.error("Port %s is not available", port)  # noqa: TRY400
                     sys.exit(1)

streamlit/web/server/server_util.py

@@ -82,7 +82,7 @@ def is_url_from_allowed_origins(url: str) -> bool:
         url_util.get_hostname(origin) for origin in allowlisted_origins()
     ]
 
-    allowed_domains: list[str | None | Callable[[], str | None]] = [
+    allowed_domains: list[str | Callable[[], str | None] | None] = [
         # Check localhost first.
         "localhost",
         "0.0.0.0",  # noqa: S104
@@ -137,6 +137,28 @@ def _get_server_address_if_manually_set() -> str | None:
     return None
 
 
+def get_display_address(address: str) -> str:
+    """Get a display-friendly address for URLs shown to users.
+
+    Wildcard addresses like "0.0.0.0" (all IPv4) or "::" (all interfaces)
+    are not valid browser addresses on all platforms. This translates
+    them to "localhost" for display purposes.
+
+    Parameters
+    ----------
+    address
+        The server address (IP or hostname).
+
+    Returns
+    -------
+    str
+        Address suitable for display. Wildcards become "localhost".
+    """
+    if address in {"0.0.0.0", "::"}:  # noqa: S104
+        return "localhost"
+    return address
+
+
 def make_url_path_regex(
     *path: str,
     trailing_slash: Literal["optional", "required", "prohibited"] = "optional",

streamlit/web/server/starlette/starlette_app.py

@@ -140,7 +140,7 @@ def create_streamlit_middleware() -> list[Middleware]:
     """Create the Streamlit-internal middleware stack.
 
     This function creates the middleware required for Streamlit's core functionality
-    including session management and GZip compression.
+    including path security, session management, and GZip compression.
 
     Returns
     -------
@@ -153,9 +153,15 @@ def create_streamlit_middleware() -> list[Middleware]:
     from streamlit.web.server.starlette.starlette_gzip_middleware import (
         MediaAwareGZipMiddleware,
     )
+    from streamlit.web.server.starlette.starlette_path_security_middleware import (
+        PathSecurityMiddleware,
+    )
 
     middleware: list[Middleware] = []
 
+    # FIRST: Path security middleware to block dangerous paths before any other processing.
+    middleware.append(Middleware(PathSecurityMiddleware))
+
     # Add session middleware
     middleware.append(
         Middleware(

streamlit/web/server/starlette/starlette_auth_routes.py

@@ -12,19 +12,26 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# ruff: noqa: RUF029  # Async route handlers are idiomatic even without await
+
 """Starlette app authentication routes."""
 
 from __future__ import annotations
 
+import json
 import time
 from typing import TYPE_CHECKING, Any, Final, cast
-from urllib.parse import urlparse
 
 from streamlit.auth_util import (
+    build_logout_url,
     clear_cookie_and_chunks,
     decode_provider_token,
     generate_default_provider_section,
+    get_cookie_with_chunks,
+    get_origin_from_redirect_uri,
+    get_redirect_uri,
     get_secrets_auth_section,
+    get_validated_redirect_uri,
     set_cookie_with_chunks,
 )
 from streamlit.errors import StreamlitAuthError
@@ -139,7 +146,7 @@ def _looks_like_provider_section(value: dict[str, Any]) -> bool:
     return any(key in value for key in provider_keys)
 
 
-class _AuthlibConfig(dict[str, Any]):
+class _AuthlibConfig(dict[str, Any]):  # noqa: FURB189
     """Config adapter that exposes provider data via Authlib's flat lookup.
 
     Authlib expects a flat configuration dictionary (e.g. "GOOGLE_CLIENT_ID").
@@ -307,7 +314,7 @@ def _create_oauth_client(provider: str) -> tuple[Any, str]:
 
     auth_section = get_secrets_auth_section()
     if auth_section:
-        redirect_uri = auth_section.get("redirect_uri", "/")
+        redirect_uri = get_redirect_uri(auth_section) or "/"
         config = auth_section.to_dict()
     else:
         config = {}
@@ -385,20 +392,80 @@ def _get_provider_by_state(state_code_from_url: str | None) -> str | None:
 
 def _get_origin_from_secrets() -> str | None:
     """Extract the origin from the redirect URI in the secrets."""
+    return get_origin_from_redirect_uri()
 
-    redirect_uri = None
-    auth_section = get_secrets_auth_section()
-    if auth_section:
-        redirect_uri = auth_section.get("redirect_uri", None)
 
-    if not redirect_uri:
+def _get_cookie_value_from_request(request: Request, cookie_name: str) -> bytes | None:
+    """Get a signed cookie value from the request, handling chunked cookies."""
+
+    def get_single_cookie(name: str) -> bytes | None:
+        return _get_signed_cookie_from_request(request, name)
+
+    return get_cookie_with_chunks(get_single_cookie, cookie_name)
+
+
+def _get_provider_logout_url(request: Request) -> str | None:
+    """Get the OAuth provider's logout URL from OIDC metadata.
+
+    Returns the end_session_endpoint URL with proper parameters for OIDC logout,
+    or None if the provider doesn't support it or required data is unavailable.
+
+    This function returns None (rather than raising exceptions) to allow graceful
+    fallback to a simple base URL redirect when OIDC logout isn't possible.
+    """
+    cookie_value = _get_cookie_value_from_request(request, USER_COOKIE_NAME)
+
+    if not cookie_value:
         return None
 
-    redirect_uri_parsed = urlparse(redirect_uri)
-    origin_from_redirect_uri: str = (
-        redirect_uri_parsed.scheme + "://" + redirect_uri_parsed.netloc
-    )
-    return origin_from_redirect_uri
+    try:
+        user_info = json.loads(cookie_value)
+        provider = user_info.get("provider")
+        if not provider:
+            return None
+
+        client, _ = _create_oauth_client(provider)
+
+        # Load OIDC metadata - Authlib's Starlette client uses async methods
+        # but load_server_metadata is synchronous in both implementations
+        metadata = client.load_server_metadata()
+        end_session_endpoint = metadata.get("end_session_endpoint")
+
+        if not end_session_endpoint:
+            _LOGGER.info("No end_session_endpoint found for provider %s", provider)
+            return None
+
+        # Use redirect_uri (i.e. /oauth2callback) for post_logout_redirect_uri
+        # This is safer than redirecting to root as some providers seem to
+        # require URL to be in a whitelist - /oauth2callback should be whitelisted
+        redirect_uri = get_validated_redirect_uri()
+        if redirect_uri is None:
+            _LOGGER.info("Redirect url could not be determined")
+            return None
+
+        # Get id_token_hint from tokens cookie if available
+        id_token: str | None = None
+        tokens_cookie_value = _get_cookie_value_from_request(
+            request, TOKENS_COOKIE_NAME
+        )
+        if tokens_cookie_value:
+            try:
+                tokens = json.loads(tokens_cookie_value)
+                id_token = tokens.get("id_token")
+            except (json.JSONDecodeError, TypeError):
+                _LOGGER.exception("Error, invalid tokens cookie value.")
+                return None
+
+        return build_logout_url(
+            end_session_endpoint=end_session_endpoint,
+            client_id=client.client_id,
+            post_logout_redirect_uri=redirect_uri,
+            id_token=id_token,
+        )
+
+    except Exception as e:
+        _LOGGER.warning("Failed to get provider logout URL: %s", e)
+        return None
 
 
 async def _auth_login(request: Request, base_url: str) -> Response:
@@ -421,9 +488,20 @@ async def _auth_login(request: Request, base_url: str) -> Response:
 
 
 async def _auth_logout(request: Request, base_url: str) -> Response:
-    """Logout the user by clearing the auth cookie and redirecting to the base URL."""
+    """Logout the user by clearing the auth cookie and redirecting.
+
+    If the OAuth provider supports end_session_endpoint, redirects there for
+    proper OIDC logout. Otherwise, redirects to the base URL.
+    """
+    from starlette.responses import RedirectResponse
+
+    provider_logout_url = _get_provider_logout_url(request)
+
+    if provider_logout_url:
+        response = RedirectResponse(provider_logout_url, status_code=302)
+    else:
+        response = await _redirect_to_base(base_url)
 
-    response = await _redirect_to_base(base_url)
     _clear_auth_cookie(response, request)
     return response
 
@@ -471,7 +549,7 @@ async def _auth_callback(request: Request, base_url: str) -> Response:
 
     response = await _redirect_to_base(base_url)
 
-    cookie_value = dict(user, origin=origin, is_logged_in=True)
+    cookie_value = dict(user, origin=origin, is_logged_in=True, provider=provider)
     tokens = {k: token[k] for k in ["id_token", "access_token"] if k in token}
     if user:
         await _set_auth_cookie(response, cookie_value, tokens)

streamlit/web/server/starlette/starlette_path_security_middleware.py

@@ -0,0 +1,97 @@
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2026)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Path security middleware for blocking unsafe path patterns.
+
+This middleware implements the "Swiss Cheese" defense model - it provides
+an additional layer of protection that catches dangerous path patterns even
+if individual route handlers forget to validate paths. This is especially
+important for preventing SSRF attacks via Windows UNC paths.
+
+Defense Layers
+--------------
+Layer 1 (this middleware): Catch-all for any route, including future routes
+Layer 2 (route handlers): Defense-in-depth via build_safe_abspath() and
+                          explicit is_unsafe_path_pattern() checks
+
+Each layer has potential "holes" (ways it could fail):
+- Middleware: Could be accidentally removed, misconfigured, or bypassed
+- Route handlers: Developer could forget to add checks to new routes
+
+By keeping both layers, an attack only succeeds if BOTH fail simultaneously.
+
+See Also
+--------
+streamlit.path_security : Core path validation functions used by this middleware
+"""
+
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
+from starlette.responses import Response
+
+from streamlit.path_security import is_unsafe_path_pattern
+
+if TYPE_CHECKING:
+    from starlette.types import ASGIApp, Receive, Scope, Send
+
+
+class PathSecurityMiddleware:
+    """ASGI middleware that blocks requests with unsafe path patterns.
+
+    Implements Swiss Cheese defense - catches dangerous patterns even if
+    route handlers forget to validate paths. This prevents SSRF attacks
+    via Windows UNC paths and other path traversal vulnerabilities.
+
+    Parameters
+    ----------
+    app
+        The ASGI application to wrap.
+    """
+
+    def __init__(self, app: ASGIApp) -> None:
+        self.app = app
+
+    async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
+        """Process incoming requests and block unsafe paths.
+
+        Only validates HTTP requests; WebSocket and lifespan scopes are
+        passed through without validation since they don't serve file content.
+        """
+        # Only validate HTTP requests (skip WebSocket, lifespan)
+        if scope["type"] != "http":
+            await self.app(scope, receive, send)
+            return
+
+        path = scope.get("path", "")
+
+        # SECURITY: Check for double-slash patterns BEFORE stripping slashes.
+        # UNC paths like "//server/share" would be normalized to "server/share"
+        # by lstrip("/"), making them look safe. We must reject these early.
+        if path.startswith(("//", "\\\\")):
+            response = Response(content="Bad Request", status_code=400)
+            await response(scope, receive, send)
+            return
+
+        # Strip leading slash to get the relative path for validation
+        relative_path = path.lstrip("/")
+
+        # Check if the path contains unsafe patterns
+        if relative_path and is_unsafe_path_pattern(relative_path):
+            response = Response(content="Bad Request", status_code=400)
+            await response(scope, receive, send)
+            return
+
+        await self.app(scope, receive, send)

streamlit/web/server/starlette/starlette_routes.py

@@ -12,6 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# ruff: noqa: RUF029  # Async route handlers are idiomatic even without await
+
 """Route handlers for the Starlette server."""
 
 from __future__ import annotations
@@ -341,9 +343,7 @@ def create_metrics_routes(runtime: Runtime, base_url: str | None) -> list[BaseRo
 
     async def _metrics_endpoint(request: Request) -> Response:
         requested_families = request.query_params.getlist("families")
-        stats = runtime.stats_mgr.get_stats(
-            family_names=requested_families if requested_families else None
-        )
+        stats = runtime.stats_mgr.get_stats(family_names=requested_families or None)
         accept = request.headers.get("Accept", "")
         if "application/x-protobuf" in accept:
             payload = StatsRequestHandler._stats_to_proto(stats).SerializeToString()
@@ -701,7 +701,8 @@ def create_component_routes(
         # Use build_safe_abspath to properly resolve symlinks and prevent traversal
         abspath = build_safe_abspath(component_root, filename)
         if abspath is None:
-            raise HTTPException(status_code=403, detail="Forbidden")
+            # Return 400 for malicious paths (consistent with middleware behavior)
+            raise HTTPException(status_code=400, detail="Bad Request")
 
         try:
             async with await anyio.open_file(abspath, "rb") as file:
@@ -743,6 +744,7 @@ def create_bidi_component_routes(
 ) -> list[BaseRoute]:
     """Create bidirectional component route handlers."""
     import anyio
+    from anyio import Path as AsyncPath
     from starlette.responses import PlainTextResponse, Response
     from starlette.routing import Route
 
@@ -771,9 +773,10 @@ def create_bidi_component_routes(
 
         abspath = build_safe_abspath(component_root, filename)
         if abspath is None:
-            return await _text_response("forbidden", 403)
+            # Return 400 for unsafe paths (matches Tornado behavior for opacity)
+            return await _text_response("Bad Request", 400)
 
-        if os.path.isdir(abspath):
+        if await AsyncPath(abspath).is_dir():
             return await _text_response("not found", 404)
 
         try:
@@ -819,6 +822,7 @@ def create_app_static_serving_routes(
     main_script_path: str | None, base_url: str | None
 ) -> list[BaseRoute]:
     """Create app static serving file route handlers."""
+    from anyio import Path as AsyncPath
     from starlette.exceptions import HTTPException
     from starlette.responses import FileResponse, Response
     from starlette.routing import Route
@@ -836,12 +840,15 @@ def create_app_static_serving_routes(
         relative_path = request.path_params.get("path", "")
         safe_path = build_safe_abspath(app_static_root, relative_path)
         if safe_path is None:
-            raise HTTPException(status_code=404, detail="File not found")
+            # Return 400 for malicious paths (consistent with middleware behavior)
+            raise HTTPException(status_code=400, detail="Bad Request")
 
-        if not os.path.exists(safe_path) or os.path.isdir(safe_path):
+        async_path = AsyncPath(safe_path)
+        if not await async_path.exists() or await async_path.is_dir():
             raise HTTPException(status_code=404, detail="File not found")
 
-        if os.path.getsize(safe_path) > MAX_APP_STATIC_FILE_SIZE:
+        file_stat = await async_path.stat()
+        if file_stat.st_size > MAX_APP_STATIC_FILE_SIZE:
             raise HTTPException(
                 status_code=404,
                 detail="File is too large",

streamlit/web/server/starlette/starlette_server.py

@@ -288,7 +288,7 @@ class UvicornServer:
                 last_exception = exc
                 # EADDRINUSE: port in use by another process
                 # EACCES: port reserved by system (common on Windows, see #13521)
-                if exc.errno in (errno.EADDRINUSE, errno.EACCES):
+                if exc.errno in {errno.EADDRINUSE, errno.EACCES}:
                     if _is_port_manually_set():
                         _LOGGER.error("Port %s is not available", port)  # noqa: TRY400
                         sys.exit(1)
@@ -476,7 +476,7 @@ class UvicornRunner:
             except OSError as exc:
                 # EADDRINUSE: port in use by another process
                 # EACCES: port reserved by system (common on Windows)
-                if exc.errno in (errno.EADDRINUSE, errno.EACCES):
+                if exc.errno in {errno.EADDRINUSE, errno.EACCES}:
                     if _is_port_manually_set():
                         _LOGGER.error("Port %s is not available", port)  # noqa: TRY400
                         sys.exit(1)