[SVMB-1301] Upgrade protobuf (#218)

### Why
#### Summary
Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of [SGROUP](https://protobuf.dev/programming-guides/encoding/#groups) tags can be corrupted by exceeding the Python recursion limit.

Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team
[[email protected]](mailto:[email protected])

Affected versions: This issue only affects the [pure-Python implementation](https://github.com/protocolbuffers/protobuf/tree/main/python#implementation-backends) of protobuf-python backend. This is the implementation when PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python environment variable is set or the default when protobuf is used from Bazel or pure-Python PyPi wheels. CPython PyPi wheels do not use pure-Python by default.

This is a Python variant of a [previous issue affecting protobuf-java](GHSA-735f-pc8j-v9w8).

#### Severity
This is a potential Denial of Service. Parsing nested protobuf data creates unbounded recursions that can be abused by an attacker.

#### Proof of Concept
For reproduction details, please refer to the unit tests [decoder_test.py](https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/decoder_test.py#L87-L98) and [message_test](https://github.com/protocolbuffers/protobuf/blob/main/python/google/protobuf/internal/message_test.py#L1436-L1478)

#### Suggested Remediation and Mitigation
A mitigation is available now. Please update to the latest available versions of the following packages:

* protobuf-python(4.25.8, 5.29.5, 6.31.1)

### How
* Upgrade protobuf from `v3.x` to newer version that includes security patch, i.e. `>=5.29.5`
* Don't use protobuf `v4.x` because it already reached end of support on 31 Mar 2025, as per [official documentation](https://protobuf.dev/support/version-support/)
* Implement breaking change fix for JSON formatter option `including_default_value_fields`, as per [Changes announced February 5, 2024](https://protobuf.dev/news/2024-02-05/)

### Note
* Newer Python protobuf versions (i.e. `v4.x`, `v5.x` and `v6.x`) maintain backward compatibility with proto files generated by `v3.x`
* Protobuf `v4.x` dropped support for Python `2.7` and Python <= `3.7`
  * This is not an issue because `clarifai-python-grpc` already requires Python >= `3.8`
* Protobuf `v6.x` dropped support for Python `3.8`
  * This is not an issue because clients running on Python `3.8` will use `5.29.5` probobuf version, while clients on Python >= `3.9` will use latest protobuf version available, which at the time of writing is is `6.31.1`

Author: mimarcel

clarifai_grpc/channel/custom_converters/custom_message_to_dict.py

@@ -24,15 +24,16 @@ def protobuf_to_dict(object_protobuf, use_integers_for_enums=True, ignore_show_e
 class _CustomPrinter(_Printer):
     def __init__(
         self,
+        *,
         including_default_value_fields,
         preserving_proto_field_name,
         use_integers_for_enums,
         ignore_show_empty,
     ):
         super(_CustomPrinter, self).__init__(
-            including_default_value_fields,
-            preserving_proto_field_name,
-            use_integers_for_enums,
+            always_print_fields_with_no_presence=including_default_value_fields,
+            preserving_proto_field_name=preserving_proto_field_name,
+            use_integers_for_enums=use_integers_for_enums,
         )
         self._ignore_show_empty = ignore_show_empty
 

requirements.txt

@@ -1,4 +1,4 @@
 googleapis-common-protos>=1.57.0
 grpcio>=1.53.2 ; python_version<'3.13'
 grpcio>=1.68.0 ; python_version>='3.13'
-protobuf==3.20.3
+protobuf>=5.29.5

setup.py

@@ -35,7 +35,7 @@
     install_requires=[
         "grpcio>=1.53.2 ; python_version < '3.13'",
         "grpcio>=1.68.0 ; python_version >= '3.13'",
-        "protobuf>=3.20.3",
+        "protobuf>=5.29.5",
         "googleapis-common-protos>=1.57.0",
     ],
     package_data={p: ["*.pyi"] for p in packages},