Fix starlette vulnerability (#487)

Starlette v0.38.6 has a Denial of Service (DoS) vulnerability, which is
fixed in Starlette 0.40.0. This PR bumps Starlette to a version without
the vulnerability.

From a grype scan today:
```
{
  "vulnerability": {
    "id": "GHSA-f96h-pmfr-66vw",
    "dataSource": "GHSA-f96h-pmfr-66vw",
    "namespace": "github:language:python",
    "severity": "High",
    "urls": [
      "GHSA-f96h-pmfr-66vw"
    ],
    "description": "Starlette Denial of service (DoS) via multipart/form-data",
    "cvss": [
      {
        "version": "3.1",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
        "metrics": {
          "baseScore": 0,
          "exploitabilityScore": 3.9,
          "impactScore": 0
        },
        "vendorMetadata": {
          "base_severity": "None",
          "status": "N/A"
        }
      }
    ],
    "fix": {
      "versions": [
        "0.40.0"
      ],
      "state": "fixed"
    },
    "advisories": []
  },
  "relatedVulnerabilities": [
    {
      "id": "CVE-2024-47874",
      "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-47874",
      "namespace": "nvd:cpe",
      "severity": "Unknown",
      "urls": [
        "encode/starlette@fd038f3",
        "GHSA-f96h-pmfr-66vw"
      ],
      "description": "Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette. This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests. Verison 0.40.0 fixes this issue.",
      "cvss": []
    }
  ],
  "matchDetails": [
    {
      "type": "exact-direct-match",
      "matcher": "python-matcher",
      "searchedBy": {
        "language": "python",
        "namespace": "github:language:python",
        "package": {
          "name": "starlette",
          "version": "0.38.6"
        }
      },
      "found": {
        "versionConstraint": "<0.40.0 (python)",
        "vulnerabilityID": "GHSA-f96h-pmfr-66vw"
      }
    }
  ],
  "artifact": {
    "id": "1d7d075e0c1f6a8e",
    "name": "starlette",
    "version": "0.38.6",
    "type": "python",
    "locations": [
      {
        "path": "/home/notebook-user/.local/lib/python3.11/site-packages/starlette-0.38.6.dist-info/METADATA",
        "layerID": "sha256:fe25e383965257a8c296faf3194fc68bd7e91731ba22a8a6a319b4b5316108d2"
      },
      {
        "path": "/home/notebook-user/.local/lib/python3.11/site-packages/starlette-0.38.6.dist-info/RECORD",
        "layerID": "sha256:fe25e383965257a8c296faf3194fc68bd7e91731ba22a8a6a319b4b5316108d2"
      }
    ],
    "language": "python",
    "licenses": [
      "BSD-3-Clause"
    ],
    "cpes": [
      "cpe:2.3:a:encode:starlette:0.38.6:*:*:*:*:python:*:*"
    ],
    "purl": "pkg:pypi/[email protected]",
    "upstreams": []
  }
}

```

Fixes https://unstructured-ai.atlassian.net/browse/PRANCER-625

Author: six5532one

CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.0.83
+
+* Fix Starlette vulnerability
+
 ## 0.0.82
 
 * Patch various python CVEs

prepline_general/api/app.py

@@ -13,7 +13,7 @@
 app = FastAPI(
     title="Unstructured Pipeline API",
     summary="Partition documents with the Unstructured library",
-    version="0.0.82",
+    version="0.0.83",
     docs_url="/general/docs",
     openapi_url="/general/openapi.json",
     servers=[

prepline_general/api/general.py

@@ -602,7 +602,7 @@ def return_content_type(filename: str):
 
 
 @router.get("/general/v0/general", include_in_schema=False)
-@router.get("/general/v0.0.82/general", include_in_schema=False)
+@router.get("/general/v0.0.83/general", include_in_schema=False)
 async def handle_invalid_get_request():
     raise HTTPException(
         status_code=status.HTTP_405_METHOD_NOT_ALLOWED, detail="Only POST requests are supported."
@@ -617,7 +617,7 @@ async def handle_invalid_get_request():
     description="Description",
     operation_id="partition_parameters",
 )
-@router.post("/general/v0.0.82/general", include_in_schema=False)
+@router.post("/general/v0.0.83/general", include_in_schema=False)
 def general_partition(
     request: Request,
     # cannot use annotated type here because of a bug described here:
@@ -714,7 +714,7 @@ def response_generator(is_multipart: bool):
             )
 
     def join_responses(
-        responses: Sequence[str | List[Dict[str, Any]] | PlainTextResponse]
+        responses: Sequence[str | List[Dict[str, Any]] | PlainTextResponse],
     ) -> List[str | List[Dict[str, Any]]] | PlainTextResponse:
         """Consolidate partitionings from multiple documents into single response payload."""
         if form_params.output_format != "text/csv":

preprocessing-pipeline-family.yaml

@@ -1,2 +1,2 @@
 name: general
-version: 0.0.82
+version: 0.0.83

requirements/base.in

@@ -4,11 +4,7 @@ unstructured[all-docs]
 # can remove after black drops support for Python 3.6
 # ref: https://github.com/psf/black/issues/2964
 click==8.1.3
-# NOTE(robinson) - fastapi>=0.114.0 causes the test listed below to fail, though it
-# works if data if chunking strategy and new_after_n_chars are explicitly set. Pinning
-# for now to preserve behavior
-# test_parallel_mode_preserves_uniqueness_of_hashes_when_assembling_page_splits
-fastapi<0.114.0
+fastapi
 uvicorn
 ratelimit
 requests