Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

exception handling #12

Merged
merged 2 commits into from
Jan 24, 2023
Merged

exception handling #12

merged 2 commits into from
Jan 24, 2023

Conversation

boutell
Copy link
Member

@boutell boutell commented Jan 17, 2023

Summary

Proper exception handling, just in case, although I can't reproduce an exception reaching this point with the URLs the client suggested it is something middleware handlers should be doing

What are the specific steps to test this change?

Redirects work normally, non-redirects work normally

What kind of change does this PR introduce?

(Check at least one)

  • Bug fix
  • New feature
  • Refactor
  • Documentation
  • Build-related changes
  • Other

Make sure the PR fulfills these requirements:

  • It includes a) the existing issue ID being resolved, b) a convincing reason for adding this feature, or c) a clear description of the bug it resolves
  • The changelog is updated
  • Related documentation has been updated
  • Related tests have been updated

If adding a new feature without an already open issue, it's best to open a feature request issue first and wait for approval before working on it.

Other information:

@boutell boutell requested a review from ValJed January 17, 2023 17:49
@linear
Copy link

linear bot commented Jan 17, 2023

PRO-3502 As a bad actor I cannot crash Apostrophe just by supplying an invalid locale name in a URL

See:

https://gitlab-dcadcx.michelin.net/pa/apostrophe-enhancements/-/issues/1199

The language switcher generates technical urls like this: https://legal.connectedmobility.michelin.com/api/v1/@apostrophecms/page/clai269kt0y0701ox966n0xl5:en:published/locale/fr

If we put a bad locale at the end of this url, it makes all Assembly crash - we had this issue this morning in production where a Qualys scan made all servers crash.

https://legal.connectedmobility.michelin.com/api/v1/@apostrophecms/page/clai269kt0y0701ox966n0xl5:en:published/locale/toto -> crash

It's a pretty straightforward bug in the i18n module:

      toLocaleRouteFactory(module) {
        return async (req, res) => {
          const _id = module.inferIdLocaleAndMode(req, req.params._id);
          const toLocale = req.params.toLocale;
          const localeReq = req.clone({
            locale: toLocale
          });

And then other code cannot trust that req.locale is valid.
Solution is a check for a valid locale name here.

@boutell boutell requested review from myovchev and removed request for ValJed January 19, 2023 17:01
@myovchev
Copy link

The CircleCI error is probably related with outdated repo configuration.

@boutell boutell merged commit 0bdec3f into main Jan 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@myovchev myovchev myovchev approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@boutell @myovchev