Closed Bug 899237 Opened 11 years ago Closed 11 years ago

report_index is relying on raw crash's `InstallTime` being a safe integer to cast

Categories

(Socorro :: Webapp, task)

Product:
Socorro
Component:
Webapp
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: peterbe, Assigned: peterbe)

Details

(Whiteboard: [qa-]) 

No trusting the client evar :)
Pretty sure this is my fault, without looking at blame I remember working on this :(

I wonder if we could push input validation somewhere common, maybe the model? RawCrash is literally just the HTTP POST params other than the binary dump file, so it could contain anything at all.

I don't *think* the way we're handling it could cause any security issues, but there is a subset of required fields that make a crash invalid if they don't exist and appear in an expected format, InstallTime being one of them.
The business logic is that it attempts to transform `InstallTime` to `install_time` IF the field *exists*. We should simply extend that to if the field exists and *is valid*.
Assignee: nobody → peterbe
Status: NEW → ASSIGNED
(In reply to Peter Bengtsson [:peterbe] from comment #3)
> The business logic is that it attempts to transform `InstallTime` to
> `install_time` IF the field *exists*. We should simply extend that to if the
> field exists and *is valid*.

Sounds good. The same should go for any of the subset of required fields in RawCrash which is why I suggested centralizing it.
Commit pushed to master at https://github.com/mozilla/socorro

https://github.com/mozilla/socorro/commit/425865d6f02350c962e4da81809a68fe55dd34b6
fixes bug 899237 - report_index is relying on raw crash's `InstallTime` as int, r=rhelmer
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Changes for this bug are going out in 56.
Target Milestone: --- → 56
Whiteboard: [qa-]
You need to log in before you can comment on or make changes to this bug.