Disable multipart uploads by default

[DoctorJohn]

Description

This PR disables support for the GraphQL multipart request spec (i.e, multipart uploads) by default and adjusts the Django view to no longer be implicitly exempted from Django's built-in CSRF protection.

These are breaking changes for those using multipart uploads AND/OR the Django view integration.

Types of Changes

• Core
• Bugfix
• New feature
• Enhancement/optimization
• Documentation

Summary by Sourcery

Disable multipart uploads by default and remove implicit CSRF exemption for Django views, requiring users to opt-in for these features. Update documentation and tests to reflect these changes and add release notes for the breaking changes.

Enhancements:

• Disable multipart uploads by default, requiring explicit enabling through a new configuration option.
• Remove implicit CSRF exemption for Django views, requiring users to manually apply CSRF exemptions if needed.

Documentation:

• Update documentation to reflect changes in multipart upload configuration and CSRF protection for Django views.
• Add a new section in the breaking changes documentation detailing the changes in multipart uploads and CSRF protection.

Tests:

• Modify tests to accommodate the new default behavior of multipart uploads being disabled, including adding tests for the disabled state.

Chores:

• Add a new release note detailing the breaking changes introduced in this version.

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request disables multipart uploads by default and adjusts the Django view to no longer be implicitly exempted from Django's built-in CSRF protection. These changes are aimed at improving security by making users explicitly opt-in to features that may have security implications.

File-Level Changes

Change	Details	Files
Disabled multipart uploads by default	Added a new 'multipart_uploads_enabled' parameter to various view classes and functions, defaulting to False Modified HTTP body parsing logic to check for 'multipart_uploads_enabled' before processing multipart form data Updated documentation for all integrations to mention the new 'multipart_uploads_enabled' option	strawberry/http/async_base_view.py strawberry/http/sync_base_view.py strawberry/django/views.py strawberry/aiohttp/views.py strawberry/asgi/__init__.py strawberry/channels/handlers/http_handler.py strawberry/fastapi/router.py strawberry/flask/views.py strawberry/quart/views.py strawberry/sanic/views.py strawberry/litestar/controller.py docs/integrations/django.md docs/integrations/sanic.md docs/integrations/aiohttp.md docs/integrations/asgi.md docs/integrations/flask.md docs/integrations/quart.md docs/integrations/channels.md docs/integrations/fastapi.md docs/integrations/litestar.md
Removed implicit CSRF exemption from Django view	Removed @method_decorator(csrf_exempt) from Django view dispatch methods Updated Django integration documentation to show how to manually apply csrf_exempt if needed	strawberry/django/views.py docs/integrations/django.md
Updated tests to accommodate new multipart upload behavior	Added 'multipart_uploads_enabled' parameter to test client initializations Modified upload tests to use enabled HTTP clients	tests/http/test_upload.py tests/http/clients/channels.py tests/http/clients/django.py tests/http/clients/aiohttp.py tests/http/clients/asgi.py tests/http/clients/async_flask.py tests/http/clients/fastapi.py tests/http/clients/flask.py tests/http/clients/litestar.py tests/http/clients/quart.py tests/http/clients/sanic.py tests/http/clients/async_django.py tests/http/clients/base.py tests/http/clients/chalice.py
Added documentation for breaking changes	Created a new breaking changes document for version 0.243.0 Updated the main breaking changes list to include the new version	docs/breaking-changes/0.243.0.md docs/breaking-changes.md
Added release notes	Created RELEASE.md file with information about the breaking changes and migration guides	RELEASE.md

Sequence Diagram

sequenceDiagram
    participant C as Client
    participant V as Strawberry View
    participant H as HTTP Handler
    C->>V: HTTP Request
    V->>H: Parse HTTP Body
    alt multipart_uploads_enabled is True
        H->>H: Process Multipart Data
    else multipart_uploads_enabled is False
        H->>H: Reject Multipart Data
    end
    H->>V: Parsed Data
    V->>C: HTTP Response

Loading

---

Tips

• Trigger a new Sourcery review by commenting @sourcery-ai review on the pull request.
• Continue your discussion with Sourcery by replying directly to review comments.
• You can change your review settings at any time by accessing your dashboard:
  • Enable or disable the Sourcery-generated pull request summary or reviewer's guide;
  • Change the review language;
• You can always contact us if you have any questions or feedback.

[botberry]

Thanks for adding the RELEASE.md file!

Here's a preview of the changelog:

---

Starting with this release, multipart uploads are disabled by default and Strawberry Django view is no longer implicitly exempted from Django's CSRF protection.
Both changes relieve users from implicit security implications inherited from the GraphQL multipart request specification which was enabled in Strawberry by default.

These are breaking changes if you are using multipart uploads OR the Strawberry Django view.
Migrations guides including further information are available on the Strawberry website.

Here's the tweet text:

🆕 Release (next) is out! Thanks to @NucleonJohn 👏

We've made some important security changes regarding file uploads and CSRF in
Django.

Check out our migration guides if you're using multipart or Django view.

👇 https://strawberry.rocks/release/(next)

[sourcery-ai]

Hey @DoctorJohn - I've reviewed your changes and they look great!

Here's what I looked at during the review

• 🟡 General issues: 1 issue found
• 🟡 Security: 1 issue found
• 🟡 Testing: 2 issues found
• 🟢 Complexity: all looks good
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment to tell me if it was helpful.}

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 96.76%. Comparing base (18f0f5d) to head (f5d9b0b).
Report is 1 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #3645       +/-   ##
===========================================
+ Coverage   72.55%   96.76%   +24.21%     
===========================================
  Files         518      522        +4     
  Lines       32647    33824     +1177     
  Branches     3772     5635     +1863     
===========================================
+ Hits        23687    32731     +9044     
+ Misses       8532      863     -7669     
+ Partials      428      230      -198     

[codspeed-hq]

CodSpeed Performance Report

Merging #3645 will not alter performance

_{Comparing DoctorJohn:disable-multipart-uploads-by-default (f5d9b0b) with main (18f0f5d)}

Summary

✅ 15 untouched benchmarks

[patrick91]