Closed Bug 1457893 Opened 7 years ago Closed 7 years ago

BLRG-PT-18-008: stop accepting unicode input to fields that don't support it

Categories

(Release Engineering Graveyard :: Applications: Balrog (backend), defect, P1)

Product:
Release Engineering Graveyard
Component:
Applications: Balrog (backend)
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bhearsum, Unassigned)

References

Details

(Keywords: sec-moderate, wsec-dos, Whiteboard: [2018audit])

Attachments

(1 file)

Link to GitHub pull-request: https://github.com/mozilla/balrog/pull/634
42 bytes, text/x-github-pull-request
nthomas
: review+
Details | Review
For example, if buildTarget gets a unicode character in its value with a request like: 1 PUT /api/rules/617 HTTP/1.1 2 Host: 127.0.0.1:8080 3 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 4 Accept: application/json, text/plain, */* 5 Accept-Language: en-US,en;q=0.5 6 Accept-Encoding: gzip, deflate 7 Referer: http://127.0.0.1:8080/rules 8 Content-Type: application/json;charset=utf-8 9 Content-Length: 595 10 Cookie: ... 11 Connection: close 12 13 {"alias":null,"backgroundRate":100,"buildID":null,"buildTarget":"asbla\u00c1\u0081faseldasd","channel": c "nightly-sysaddon","comment":null,"data_version":1,"distVersion":null,"distribution":null, c "fallbackMapping":null,"headerArchitecture":null,"instructionSet":null,"jaws":null,"locale":null, c "mapping":"SystemAddons-no-update","memory":null,"mig64":null,"osVersion":null,"priority":5000, c "product":"SystemAddons","rule_id":617,"update_type":"minor","version":"<56.0","scheduled_change": c null,"csrf_token": c "IjJlMWQ3ODY4ZWE3OGM3Yzk0MDcxNmM5MDQ4OGI1YjVkZjQzYzFkMTIi.Daz1Zg.oUAX3cW78D-6ZrxASAhSzfQaYK0"} Subsequent requests to /api/rules throw an Exception: UnicodeDecodeError: 'utf8' codec can't decode byte 0xc1 in position 10: invalid start byte We should stop accepting unicode input to fields that don't support it.
Whiteboard: [2018audit]
Blocks: 1468525
Blocks: 1468528
No longer blocks: 1468525
Summary: stop accepting unicode input to fields that don't support it → BLRG-PT-18-008: stop accepting unicode input to fields that don't support it
I started putting together a fix for this in https://github.com/mozilla/balrog/compare/master...mozbhearsum:bad-unicode-bad?expand=1 It's working for the most part, except certain fields don't report errors properly (for reasons i don't quite understand). For example, if you enter unicode into the "username" field when adding a new permission, we end up with an ISE 500.
Attachment #8985666 - Flags: review?(nthomas)
Commit pushed to master at https://github.com/mozilla/balrog https://github.com/mozilla/balrog/commit/9a408f437a102827ae420b680ff2f1bc7eb7a889 bug 1457893: stop accepting unicode input to fields that don't support it (#634)
Attachment #8985666 - Flags: review?(nthomas) → review+
No longer blocks: 1476956
This is in production now.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Product: Release Engineering → Release Engineering Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: