Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add defensive checks against URI parameters in the public API #4788

Closed
sentry-io bot opened this issue Oct 16, 2024 · 2 comments · Fixed by #4794
Closed

Add defensive checks against URI parameters in the public API #4788

sentry-io bot opened this issue Oct 16, 2024 · 2 comments · Fixed by #4794
Assignees
@ozer550
Labels
DEV: backend P1 - important Priority: High impact on UX
Milestone
Studio: Q4 patch ...

Comments

@sentry-io
Copy link

sentry-io bot commented Oct 16, 2024
edited by bjester
Loading

Observed behavior

Requests to the public APIs, such as /api/public/v2/contentnode_tree/8f0a5b9d89795/, that have an invalid UUID cause a 500 error.

Sentry Issue: STUDIO-HH7

ValueError: badly formed hexadecimal UUID string
(23 additional frame(s) were not displayed)
...
  File "kolibri_public/views.py", line 65, in wrapper_func
    response = some_func(*args, **kwargs)
  File "kolibri_public/views.py", line 700, in retrieve
    queryset = self.get_tree_queryset(request, pk)
  File "kolibri_public/views.py", line 646, in get_tree_queryset
    if pk and self.filter_queryset(self.get_queryset()).filter(id=pk).exists()
  File "kolibri_content/fields.py", line 159, in get_db_prep_value
    value = uuid.UUID(value)

Expected behavior

This error is caused by 'bad input', which we still don't want to accept. Although, since the error causes a 500 response, it would be better for us to validate any request input matches what we expect, which in this case the request parameter looks like a UUID, and return a 'Bad Request' response instead. We should do this for all the public APIs.
@bjester bjester changed the title ValueError: badly formed hexadecimal UUID string Add defensive checks against URI parameters in the public API Oct 16, 2024
@bjester bjester added P1 - important Priority: High impact on UX DEV: backend labels Oct 16, 2024
@bjester bjester added this to the Studio: Q4 patch release 1 milestone Oct 16, 2024
@rtibbles
Copy link
Member

See here for how this was handled in Kolibri, many of the same strategies should be workable here: learningequality/kolibri#11009

@ozer550 ozer550 mentioned this issue Oct 24, 2024
Merged
24 tasks
@rtibbles
Copy link
Member

rtibbles commented Nov 6, 2024

Fixed in #4794

@rtibbles rtibbles closed this as completed Nov 6, 2024
@bjester bjester mentioned this issue Nov 18, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ozer550 ozer550

Labels
DEV: backend P1 - important Priority: High impact on UX
Projects
None yet
Milestone
Studio: Q4 patch release 1
Development

Successfully merging a pull request may close this issue.

Validate UUID Format in Public API Requests to Prevent 500 Errors ozer550/studio
3 participants
@bjester @rtibbles @ozer550