I am using gql to run a query against a GraphQL API. I get this error:
File "<path to poetry venv>/lib/python3.10/site-packages/aiohttp/http_writer.py", line 129, in write_headers
buf = _serialize_headers(status_line, headers)
File "aiohttp/_http_writer.pyx", line 132, in aiohttp._http_writer._serialize_headers
File "aiohttp/_http_writer.pyx", line 116, in aiohttp._http_writer._safe_header
ValueError: Newline or carriage return character detected in HTTP status message or header. This is a potential security issue.
From looking at this SO answer and this GitHub issue, I get a rough idea of the general problem.
However, I don’t even set any headers myself, I just run something like
from gql import Client as gql_client, gql
expr_ = '''mutation myMutation($var: Type) {
nameOfMyGraphQLMutation(var: $var) {
... (fields to return) ...
}
}'''
expr = gql(expr_)
client = gql_client(...)
client.execute(expr, ...)
and from the looks of it, gql seems to make use of aiohttp internally.
I tried to hack the aiohttp python code in my venv to display the problematic headers to get an idea of what the root cause might be, but AFAICT, there is compiled code at play there (files like e.g. _http_writer.cpython-310-darwin.so), so local changes won’t be picked up.
Also, from looking at Google, I seem to be the only dev with this issue (which typically is a sign that I myself am the root cause…)
Does anyone have an idea how to fix this ?
1 Answer
Yet another case where the answer becomes obvious as soon as you ask the question properly.
aiohttp python code indeed seems not straight forward to hack, but gql code is: print the headers before gql passes them to aiohttp – and indeed, the API key header has a trailing newline (because I load it from a local file (for development) / fetch it from AWS Secrets Manager (for production) – and don’t strip() newlines).
