Open
Bug 1369468
Opened 7 years ago
Updated 4 years ago
Don't allow suspicious HTTP requests to go through
Categories
(Cloud Services :: Operations: AMO, task)
Cloud Services
Operations: AMO
Tracking
(Not tracked)
NEW
People
(Reporter: mat, Assigned: wezhou)
Details
We've seen several instances of weird HTTP requests in the logs over time. Recently, that one was caught in the logs: 1496338081.111 502 /ga-IE/firefox/tag/.pdf?atype=9&cat=unexisting/../../../../../../../../../../windows/win.ini.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x 5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\ x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5<snip>\x5C.\x5C&from=/he/firefox/tag/.pdf%3ffrom=/en-US/firefox/tag/.pdf&lang=bg&page=16&sort=created We should ban such requests entirely, they are never going to be legitimate. From that one we can enact 3 different rules: - Requests with a super long URL, say more than 2048 characters, should not be allowed. (That one has 6363 characters total) - Requests with more than 5 instance of "../" should not be allowed - Requests with more than 5 instances of "\" (\x5C) should not be allowed For those denied requests an appropriate error code should be returned instead of letting the request go through the app. I've just picked the limits arbitrarily, feel free to disagree :)
Comment 1•4 years ago
|
||
Julien, is this something the fraud-detection pipeline could do even before such requests reach the AMO app?
Flags: needinfo?(jvehent)
Comment 2•4 years ago
|
||
The fraud pipeline acts on logs submitted by the app, so by definition it'll happen after the app has received the request. We could look into using the AWS WAF for this purpose if this becomes a bigger issue, but there's cost associated with it.
Flags: needinfo?(jvehent)
You need to log in
before you can comment on or make changes to this bug.
Description
•