security: force Accept-Encoding identity to mitigate urllib3 decompression bomb (CTO-4807)

tech-sushant · claude · tech-sushant · commit 15ec5f9a7dc4 · 2026-05-18T18:09:01.000+05:30
GHSA-mf9v-mfxr-j63j flags a decompression-bomb safeguard bypass in urllib3 < 2.7.0's streaming API. urllib3 2.7.0 requires Python >= 3.10 but the CI matrix still includes Python 3.9, so we cannot bump the pin. This patch installs a small monkey-patch on requests.adapters.HTTPAdapter that sets `Accept-Encoding: identity` on every outbound HTTP request. With no compressed responses ever arriving, urllib3's decompression code path is never exercised at runtime and the bug cannot trigger. - New module: EnigmaAutomation/security_mitigations.py - Imported once from EnigmaAutomation/__init__.py so it loads in every process (Django web, manage.py CLI, celery workers, pytest with DJANGO_SETTINGS_MODULE set). Note: SCA scanners detect by version, not behavior, so CTO-4807 will still flag urllib3==2.6.3. Requesting a risk-acceptance from security with this mitigation as justification, pending the Python upgrade that unblocks urllib3 2.7.0. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
diff --git a/EnigmaAutomation/__init__.py b/EnigmaAutomation/__init__.py
@@ -1,3 +1,4 @@
+from . import security_mitigations  # noqa: F401  applied at import time
 from .celery import app as celery_app
 
 __all__ = ("celery_app",)
diff --git a/EnigmaAutomation/security_mitigations.py b/EnigmaAutomation/security_mitigations.py
@@ -0,0 +1,35 @@
+"""
+Runtime security mitigations applied at process startup.
+
+Each mitigation here should reference the ticket / advisory it addresses
+and be removed once the underlying issue is properly resolved (typically
+by a dependency upgrade).
+"""
+
+import requests.adapters
+
+
+_original_send = requests.adapters.HTTPAdapter.send
+
+
+def _force_identity_encoding(self, request, *args, **kwargs):
+    """Mitigation for GHSA-mf9v-mfxr-j63j (CTO-4807).
+
+    urllib3 < 2.7.0 has a decompression-bomb safeguard bypass in parts of
+    its streaming API. urllib3 2.7.0 (the patched version) requires
+    Python >= 3.10, but this project's CI matrix still includes Python 3.9
+    so we cannot bump the pin.
+
+    Forcing Accept-Encoding: identity on every outbound HTTP request makes
+    servers return uncompressed bodies, so urllib3's decompression code
+    path is never exercised at runtime and the bug cannot trigger.
+
+    Remove this patch (and the import from EnigmaAutomation/__init__.py)
+    once the Python runtime is upgraded and urllib3 can be bumped to
+    >= 2.7.0.
+    """
+    request.headers["Accept-Encoding"] = "identity"
+    return _original_send(self, request, *args, **kwargs)
+
+
+requests.adapters.HTTPAdapter.send = _force_identity_encoding

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+from . import security_mitigations # noqa: F401 applied at import time`
`1`	`2`	`from .celery import app as celery_app`
`2`	`3`
`3`	`4`	`__all__ = ("celery_app",)`