wrong reverse dns lookups in shadowserver reports cause a crash of the FQDN-validation #1022
Comments
ghost
added
bug
|
harmonization.py does this, to validate "FQDN" -Data. As you can see, leading dots are not stripped. @staticmethod
def sanitize(value):
value = value.rstrip('.')
if value:
return value.encode('idna').decode().lower()Minimalistic example to reproduce the error: >>> badurl = ".example.com"
>>> goodurl = "example.com"
>>> goodurl.encode("idna")
b'example.com'
>>> badurl.encode("idna")
Traceback (most recent call last):
File "/usr/lib/python3.4/encodings/idna.py", line 165, in encode
raise UnicodeError("label empty or too long")
UnicodeError: label empty or too long
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
UnicodeError: encoding with 'idna' codec failed (UnicodeError: label empty or too long)The data in the report is simply wrong. But how to deal with this? Reject the dataset (the call of is_valid()) should fail now)? @staticmethod
def sanitize(value):
value = value.rstrip('.')
if value[0] == ".":
return False
if value:
return value.encode('idna').decode().lower()Or alter and sanitize the dataset? @staticmethod
def sanitize(value):
value = value.rstrip('.')
value = value.lstrip('.')
if value:
return value.encode('idna').decode().lower()Is an indication of this alteration necessary? |
dmth
changed the title
|
This issue shall only focus on a solution for the Shadowserver-Parser, for instance by creating a validatior in A universal solution for this problem is pursued in #1030 |
|
IMHO we can strip the leading dot always. See also #369 for the discussion on trailing dot Ping @aaronkaplan EDIT: s/zero/dot/ :/ |
|
@wagner-certat you are refering to the leading dot ( |
|
@bernhardreiter yes :) |
|
We are going to work on that issue, first as validator in the shadowserver-config. |
Extends the validate_fqdn method by removing trailing dots from the fqdn. This fixes certtools#1022 on the shadowserver-parser config level. All "hostname" carrying values are now validated using this function. Nevertheless this issue should still be discussed as it is present for all other feeds. See certtools#1030 for the general solution.
Extends the validate_fqdn method by removing trailing dots from the fqdn. This fixes certtools#1022 on the shadowserver-parser config level. All "hostname" carrying values are now validated using this function. Nevertheless this issue should still be discussed as it is present for all other feeds. See certtools#1030 for the general solution.
|
That issue is independent of the source/parser. So IMHO it should go to
the sanitation of the harmonization. So if you are keen on fixing this
only for shadowserver, that specific fix will be replaced by a generic
fix very soon.
I'll push a commit fixing this to both branches of course.
|
Great I'm looking forward to it. |
Right now, if a reverse dns returns something bogus, there is a crash and dump
in sanitize()
Happened with shadowserver opendns resolver, and the hostname field was something like
.example.netThe text was updated successfully, but these errors were encountered: