1369468 - Don't allow suspicious HTTP requests to go through

Status: NEW

(Cloud Services :: Operations: AMO, task)

Description

[Mathieu Pillard [:mat]]

We've seen several instances of weird HTTP requests in the logs over time. Recently, that one was caught in the logs:

1496338081.111 502 /ga-IE/firefox/tag/.pdf?atype=9&cat=unexisting/../../../../../../../../../../windows/win.ini.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x
5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\
x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5<snip>\x5C.\x5C&from=/he/firefox/tag/.pdf%3ffrom=/en-US/firefox/tag/.pdf&lang=bg&page=16&sort=created 


We should ban such requests entirely, they are never going to be legitimate. From that one we can enact 3 different rules:
- Requests with a super long URL, say more than 2048 characters, should not be allowed. (That one has 6363 characters total)
- Requests with more than 5 instance of "../" should not be allowed
- Requests with more than 5 instances of "\" (\x5C) should not be allowed

For those denied requests an appropriate error code should be returned instead of letting the request go through the app.

I've just picked the limits arbitrarily, feel free to disagree :)

Comment 1

[Andreas Wagner [:TheOne] [use NI]]

Julien, is this something the fraud-detection pipeline could do even before such requests reach the AMO app?

Comment 2

[Julien Vehent]

The fraud pipeline acts on logs submitted by the app, so by definition it'll happen after the app has received the request. We could look into using the AWS WAF for this purpose if this becomes a bigger issue, but there's cost associated with it.