Restrict Tastypie serialization formats to JSON only #1836

hackdna · 2017-06-26T17:53:13Z

Refinery crashes if someone accesses any of the Tastypie APIs with a query string containing format=xml. Tastypie documentation suggests:

"Support the minimum required set of formats in your application. If you do not require a format, it’s much safer to disable it completely. See TASTYPIE_DEFAULT_FORMATS setting."

Sample log entries:

Internal Server Error: /api/v1/analysis/
Traceback (most recent call last):
  File "/home/ubuntu/.virtualenvs/refinery-platform/lib/python2.7/site-packages/django/core/handlers/base.py", line 111, in get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/home/ubuntu/.virtualenvs/refinery-platform/lib/python2.7/site-packages/django/views/decorators/csrf.py", line 57, in wrapped_view
    return view_func(*args, **kwargs)
  File "/home/ubuntu/.virtualenvs/refinery-platform/lib/python2.7/site-packages/tastypie/resources.py", line 249, in wrapper
    return self._handle_500(request, e)
  File "/home/ubuntu/.virtualenvs/refinery-platform/lib/python2.7/site-packages/tastypie/resources.py", line 289, in _handle_500
    return self.error_response(request, data, response_class=response_class)
  File "/home/ubuntu/.virtualenvs/refinery-platform/lib/python2.7/site-packages/tastypie/resources.py", line 1231, in error_response
    serialized = self.serialize(request, errors, desired_format)
  File "/home/ubuntu/.virtualenvs/refinery-platform/lib/python2.7/site-packages/tastypie/resources.py", line 371, in serialize
    return self._meta.serializer.serialize(data, format, options)
  File "/home/ubuntu/.virtualenvs/refinery-platform/lib/python2.7/site-packages/tastypie/serializers.py", line 202, in serialize
    serialized = getattr(self, "to_%s" % desired_format)(bundle, options)
  File "/home/ubuntu/.virtualenvs/refinery-platform/lib/python2.7/site-packages/tastypie/serializers.py", line 407, in to_xml
    raise ImproperlyConfigured("Usage of the XML aspects requires lxml and defusedxml.")
ImproperlyConfigured: Usage of the XML aspects requires lxml and defusedxml.

Request repr():
<WSGIRequest
path:/api/v1/analysis/,
GET:<QueryDict: {u'format': [u'xml']}>,
POST:<QueryDict: {}>,
COOKIES:{'_ga': 'GA1.2.1748380814.1483628503',
'_gid': 'GA1.2.1622156721.1498255735',
'csrftoken': <redacted>,
'sessionid': <redacted>},
META:{'CONTEXT_DOCUMENT_ROOT': '/var/www',
'CONTEXT_PREFIX': '',
u'CSRF_COOKIE': <redacted>,
'DOCUMENT_ROOT': '/var/www',
'GATEWAY_INTERFACE': 'CGI/1.1',
'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'HTTP_ACCEPT_ENCODING': 'gzip, deflate, sdch, br',
'HTTP_ACCEPT_LANGUAGE': 'en-US,en;q=0.8,de;q=0.6',
'HTTP_CONNECTION': 'keep-alive',
'HTTP_COOKIE': 'sessionid=<redacted>; csrftoken=<redacted>; _ga=GA1.2.1748380814.1483628503; _gid=GA1.2.1622156721.1498255735',
'HTTP_DNT': '1',
'HTTP_HOST': 'beta.stemcellcommons.org',
'HTTP_UPGRADE_INSECURE_REQUESTS': '1',
'HTTP_USER_AGENT': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36',
'HTTP_X_FORWARDED_FOR': '134.174.140.198',
'HTTP_X_FORWARDED_PORT': '443',
'HTTP_X_FORWARDED_PROTO': 'https',
'PATH_INFO': u'/api/v1/analysis/',
'PATH_TRANSLATED': '/srv/refinery-platform/refinery/config/wsgi_aws.py/api/v1/analysis/',
'QUERY_STRING': 'format=xml',
'REMOTE_ADDR': '172.31.55.84',
'REMOTE_PORT': '38050',
'REQUEST_METHOD': 'GET',
'REQUEST_SCHEME': 'http',
'REQUEST_URI': '/api/v1/analysis/?format=xml',
'SCRIPT_FILENAME': '/srv/refinery-platform/refinery/config/wsgi_aws.py',
'SCRIPT_NAME': u'',
'SCRIPT_URI': 'http://beta.stemcellcommons.org/api/v1/analysis/',
'SCRIPT_URL': '/api/v1/analysis/',
'SERVER_ADDR': '172.31.58.202',
'SERVER_ADMIN': '[no address given]',
'SERVER_NAME': 'beta.stemcellcommons.org',
'SERVER_PORT': '80',
'SERVER_PROTOCOL': 'HTTP/1.1',
'SERVER_SIGNATURE': '',
'SERVER_SOFTWARE': 'Apache/2.4.7 (Ubuntu)',
'mod_wsgi.application_group': 'beta.stemcellcommons.org|',
'mod_wsgi.callable_object': 'application',
'mod_wsgi.enable_sendfile': '0',
'mod_wsgi.handler_script': '',
'mod_wsgi.input_chunked': '0',
'mod_wsgi.listener_host': '',
'mod_wsgi.listener_port': '80',
'mod_wsgi.process_group': 'refinery',
'mod_wsgi.queue_start': '1498256030673627',
'mod_wsgi.request_handler': 'wsgi-script',
'mod_wsgi.script_reloading': '1',
'mod_wsgi.version': (3, 4),
'wsgi.errors': <mod_wsgi.Log object at 0x7f1b6c72c6b0>,
'wsgi.file_wrapper': <built-in method file_wrapper of mod_wsgi.Adapter object at 0x7f1b6c904990>,
'wsgi.input': <mod_wsgi.Input object at 0x7f1b6c72c470>,
'wsgi.multiprocess': False,
'wsgi.multithread': True,
'wsgi.run_once': False,
'wsgi.url_scheme': 'http',
'wsgi.version': (1, 0)}>

The text was updated successfully, but these errors were encountered:

hackdna added api server technical debt labels Jun 26, 2017

hackdna added this to the Next milestone Jun 26, 2017

ngehlenborg removed this from the Next milestone Oct 17, 2017

hackdna added this to the Release 1.6.1 milestone Oct 17, 2017

This was referenced Oct 31, 2017

Mccalluc/tasty pie no xml #2301

Closed

Mccalluc/tasty pie no xml 2 #2311

Merged

mccalluc closed this as completed in #2311 Nov 2, 2017

scottx611x added this to Done in Technical Debt Nov 6, 2017

hackdna added this to ToDo in Security Apr 18, 2019

hackdna removed this from ToDo in Security Apr 18, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Restrict Tastypie serialization formats to JSON only #1836

Restrict Tastypie serialization formats to JSON only #1836

hackdna commented Jun 26, 2017

Restrict Tastypie serialization formats to JSON only #1836

Restrict Tastypie serialization formats to JSON only #1836

Comments

hackdna commented Jun 26, 2017