-
Notifications
You must be signed in to change notification settings - Fork 458
Input sanitisation #3142
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
While this error is not pretty, it is completely harmless. Creating noise in the log file is the only undesirable thing that happens in such a case. FYI, SQLAlchemy properly passes user input as query parameters instead of interpolating it, so there is no need for any kind of escaping there. The only workaround to avoid this kind of noise I can see is failing e.g. a 400 error if there's any query string value or url segment containing a NUL byte. |
If it only created noise in the log file that would be ok. The problem is that it is not correctly classified. It should trigger an error message to the user. Instead it triggers a python process "crash" because of an unhandled exception. This triggers an "error" level message to the logs and an email to the admin. In case someone is trying a brute force attack (or a security scan) it causes 1000+ mails to go to the admin. That is not harmless. I cannot turn off the sending of emails, since I actually want to see real errors. |
Like I said in my previous comment, I think rejecting requests with NULs in query string arguments makes sense and this should cover most of the noise such security scans generate. If you have any cases where other nonsense data caused exceptions please let us know!
Error emails are annoying in general - we got quite some noise in the past too (especially when we were still using legacy indico). You might want to consider using Sentry and completely disable error emails. In Sentry you can easily mark specific errors as ignored. Also, for real errors encountered by users they always have the option to send an error report which would send you an email even if the email logger for errors is disabled. |
This morning our Indico instance (http://indico.nbi.ku.dk) was hit by an automated scan (Nessus) by DKCERT (https://www.cert.dk/)
This flooded our admin inboxes with error mails, because user input is not properly checked and escaped. "Luckily" it was caught by other libraries(sqlalchemy, datetime), but only as raw ValueError exceptions.
User input should be properly sanitised and escaped before being passed to the DB. Alternatively exceptions like this should be caught and trigger a user error (and maybe a warning in the logs). It should not trigger a python "crash".
Below I've included a couple of interesting stack traces showing the issue.
The text was updated successfully, but these errors were encountered: