New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API repsonse for a `Reply` has full system path for `filename` #3918

Closed
heartsucker opened this Issue Nov 2, 2018 · 2 comments

Comments

Projects
None yet
1 participant
@heartsucker
Copy link
Contributor

heartsucker commented Nov 2, 2018

Description

The filename of a reply to a source should only be the $(basename $path) and not just $path.

Steps to Reproduce

Boot the dev env, reply via the API, fetch all replies from the API.

Expected Behavior

The response does not contain /var/lib/securedrop/store/$filesystem_id.

Actual Behavior

$ http localhost:8081/api/v1/replies
HTTP/1.0 200 OK
Content-Length: 4438
Content-Type: application/json
Date: Fri, 02 Nov 2018 13:58:11 GMT
Server: Werkzeug/0.14.1 Python/2.7.6
Set-Cookie: js=eyJleHBpcmVzIjp7IiBkIjoiRnJpLCAwMiBOb3YgMjAxOCAxNTo1ODoxMSBHTVQifX0.Dr3pcw.p_VpbLQcvnnVzg_jf6MTp9gZ8VI; HttpOnly; Path=/
Vary: Cookie

{
    "replies": [
        ...
        {
            "filename": "/var/lib/securedrop/store/V7ND6HFB3ZDSWS647VA2HPTTTOKD6M433M6ZSZOKTQTQAU7RWTWS5YU62F4WIASHUYTDAYW3HZVNORQAN3QKZVBZRELYCV3NUVARL6Y=/5-fourteen_recitative-reply.gpg", 
            "is_deleted_by_source": false, 
            "journalist_username": "journalist", 
            "journalist_uuid": "3328e4e8-4037-437b-88d9-a0aa270090cb", 
            "reply_url": "/api/v1/sources/c81a50ea-4eeb-4422-ba51-9bc11e598b14/replies/8b97e43d-e84d-412b-b7e2-1fccfa0fda17", 
            "size": 906, 
            "source_url": "/api/v1/sources/c81a50ea-4eeb-4422-ba51-9bc11e598b14", 
            "uuid": "8b97e43d-e84d-412b-b7e2-1fccfa0fda17"
        }, 
        ...
    ]
}

@heartsucker heartsucker added the bug label Nov 2, 2018

heartsucker added a commit that referenced this issue Nov 2, 2018

@heartsucker

This comment has been minimized.

Copy link
Contributor

heartsucker commented Nov 2, 2018

This is a critical error and will cause unrecoverable 500's in prod when attempting to view a source with a contaminated DB.

172.17.0.1 - - [02/Nov/2018 14:33:25] "GET /col/CD6QKKJNKFHIJLRSBHBCVLXZSFTIAUP2WYUN3UAEVW2R56RKFJFXZC5XN4NFGI6C7LZGJBXUGXJ4RAFHXOBEBUF2MFWFBEGWNBWZPAY= HTTP/1.1" 500 -
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 2309, in __call__
    return self.wsgi_app(environ, start_response)
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 2295, in wsgi_app
    response = self.handle_exception(e)
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1741, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 2292, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1815, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1718, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1813, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1799, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/home/heartsucker/code/freedomofpress/securedrop/securedrop/journalist_app/col.py", line 38, in col
    source=source, form=form)
  File "/usr/local/lib/python2.7/dist-packages/flask/templating.py", line 135, in render_template
    context, ctx.app)
  File "/usr/local/lib/python2.7/dist-packages/flask/templating.py", line 117, in _render
    rv = template.render(context)
  File "/usr/local/lib/python2.7/dist-packages/jinja2/environment.py", line 1008, in render
    return self.environment.handle_exception(exc_info, True)
  File "/usr/local/lib/python2.7/dist-packages/jinja2/environment.py", line 780, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/home/heartsucker/code/freedomofpress/securedrop/securedrop/journalist_templates/col.html", line 1, in top-level template code
    {% extends "base.html" %}
  File "/home/heartsucker/code/freedomofpress/securedrop/securedrop/journalist_templates/base.html", line 50, in top-level template code
    {% block body %}{% endblock %}
  File "/home/heartsucker/code/freedomofpress/securedrop/securedrop/journalist_templates/col.html", line 21, in block "body"
    {% if source.collection %}
  File "/usr/local/lib/python2.7/dist-packages/jinja2/environment.py", line 430, in getattr
    return getattr(obj, attribute)
  File "/home/heartsucker/code/freedomofpress/securedrop/securedrop/models.py", line 106, in collection
    collection.sort(key=lambda x: int(x.filename.split('-')[0]))
  File "/home/heartsucker/code/freedomofpress/securedrop/securedrop/models.py", line 106, in <lambda>
    collection.sort(key=lambda x: int(x.filename.split('-')[0]))
ValueError: invalid literal for int() with base 10: '/var/lib/securedrop/store/CD6QKKJNKFHIJLRSBHBCVLXZSFTIAUP2WYUN3UAEVW2R56RKFJFXZC5XN4NFGI6C7LZGJBXUGXJ4RAFHXOBEBUF2MFWFBEGWNBWZPAY=/5'
@heartsucker

This comment has been minimized.

Copy link
Contributor

heartsucker commented Nov 2, 2018

This does not cause an error on the source interface.

@heartsucker heartsucker closed this Nov 2, 2018

@heartsucker heartsucker reopened this Nov 2, 2018

redshiftzero added a commit that referenced this issue Nov 2, 2018

nightwarrior-xxx added a commit to nightwarrior-xxx/securedrop that referenced this issue Nov 7, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment