##// END OF EJS Templates
core: use application wide detection of invalid bytes sent via URL/GET/POST data.
marcink -
r3145:f9f61897 default
parent child Browse files
Show More
@@ -0,0 +1,45 b''
1 # -*- coding: utf-8 -*-
2
3 # Copyright (C) 2016-2018 RhodeCode GmbH
4 #
5 # This program is free software: you can redistribute it and/or modify
6 # it under the terms of the GNU Affero General Public License, version 3
7 # (only), as published by the Free Software Foundation.
8 #
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
13 #
14 # You should have received a copy of the GNU Affero General Public License
15 # along with this program. If not, see <http://www.gnu.org/licenses/>.
16 #
17 # This program is dual-licensed. If you wish to learn more about the
18 # RhodeCode Enterprise Edition, including its added features, Support services,
19 # and proprietary license terms, please see https://rhodecode.com/licenses/
20
21 import pytest
22
23 from rhodecode.tests import TestController
24 from rhodecode.tests.fixture import Fixture
25
26
27 class TestBadRequestData(TestController):
28
29 def test_bad_get_data(self):
30 self.app.get(
31 '/', params={'f\xfc': '\xfc%f6%22%20onmouseover%3dveA2(9352)%20'},
32 status=400)
33
34 def test_bad_url_data(self):
35 self.app.post(
36 '/f\xfc',
37 status=400)
38
39 def test_bad_post_data(self, csrf_token, xhr_header):
40 self.app.post(
41 '/_markup_preview',
42 params={'f\xfc': '\xfc%f6%22%20onmouseover%3dveA2(9352)%20',
43 'csrf_token': csrf_token},
44 extra_environ=xhr_header,
45 status=400)
@@ -27,7 +27,6 b' import subprocess32'
27
27
28
28
29 from dateutil.parser import parse
29 from dateutil.parser import parse
30 from pyramid.httpexceptions import HTTPBadRequest
31 from pyramid.threadlocal import get_current_request
30 from pyramid.threadlocal import get_current_request
32 from pyramid.interfaces import IRoutesMapper
31 from pyramid.interfaces import IRoutesMapper
33 from pyramid.settings import asbool
32 from pyramid.settings import asbool
@@ -39,7 +38,6 b' from rhodecode.config.jsroutes import ge'
39 from rhodecode.lib import auth
38 from rhodecode.lib import auth
40 from rhodecode.lib.base import get_auth_user
39 from rhodecode.lib.base import get_auth_user
41
40
42
43 import rhodecode
41 import rhodecode
44
42
45
43
@@ -61,19 +59,7 b' def add_renderer_globals(event):'
61
59
62 def add_localizer(event):
60 def add_localizer(event):
63 request = event.request
61 request = event.request
64 try:
65 localizer = request.localizer
62 localizer = request.localizer
66 except Exception:
67 log.exception('Failed to get localizer')
68 # NOTE(marcink): Handle bug in pyramid by malformed GET params could crash
69 # this resulting on various odd errors on missing translators
70 # see: https://github.com/Pylons/pyramid/issues/3399
71
72 def dummy_translate(*args, **kwargs):
73 return ''.join(args)
74 request.translate = tsf
75 request.plularize = dummy_translate
76 raise HTTPBadRequest()
77
63
78 def auto_translate(*args, **kwargs):
64 def auto_translate(*args, **kwargs):
79 return localizer.translate(tsf(*args, **kwargs))
65 return localizer.translate(tsf(*args, **kwargs))
@@ -20,6 +20,7 b''
20
20
21
21
22 import logging
22 import logging
23 from pyramid.httpexceptions import HTTPException, HTTPBadRequest
23
24
24 from rhodecode.lib.middleware.vcs import (
25 from rhodecode.lib.middleware.vcs import (
25 detect_vcs_request, VCS_TYPE_KEY, VCS_TYPE_SKIP)
26 detect_vcs_request, VCS_TYPE_KEY, VCS_TYPE_SKIP)
@@ -56,6 +57,53 b' def vcs_detection_tween_factory(handler,'
56 return vcs_detection_tween
57 return vcs_detection_tween
57
58
58
59
60 def junk_encoding_detector(request):
61 """
62 Detect bad encoded GET params, and fail immediately with BadRequest
63 """
64
65 try:
66 request.GET.get("", None)
67 except UnicodeDecodeError:
68 raise HTTPBadRequest("Invalid bytes in query string.")
69
70
71 def bad_url_data_detector(request):
72 """
73 Detect invalid bytes in a path.
74 """
75 try:
76 request.path_info
77 except UnicodeDecodeError:
78 raise HTTPBadRequest("Invalid bytes in URL.")
79
80
81 def junk_form_data_detector(request):
82 """
83 Detect bad encoded POST params, and fail immediately with BadRequest
84 """
85
86 if request.method == "POST":
87 try:
88 request.POST.get("", None)
89 except ValueError:
90 raise HTTPBadRequest("Invalid bytes in form data.")
91
92
93 def sanity_check_factory(handler, registry):
94 def sanity_check(request):
95 try:
96 junk_encoding_detector(request)
97 bad_url_data_detector(request)
98 junk_form_data_detector(request)
99 except HTTPException as exc:
100 return exc
101
102 return handler(request)
103
104 return sanity_check
105
106
59 def includeme(config):
107 def includeme(config):
60 config.add_subscriber('rhodecode.subscribers.add_renderer_globals',
108 config.add_subscriber('rhodecode.subscribers.add_renderer_globals',
61 'pyramid.events.BeforeRender')
109 'pyramid.events.BeforeRender')
@@ -65,5 +113,5 b' def includeme(config):'
65 'pyramid.events.NewRequest')
113 'pyramid.events.NewRequest')
66 config.add_subscriber('rhodecode.subscribers.add_request_user_context',
114 config.add_subscriber('rhodecode.subscribers.add_request_user_context',
67 'pyramid.events.ContextFound')
115 'pyramid.events.ContextFound')
68
116 config.add_tween('rhodecode.tweens.sanity_check_factory')
69 config.add_tween('rhodecode.tweens.vcs_detection_tween_factory')
117 config.add_tween('rhodecode.tweens.vcs_detection_tween_factory')
General Comments 0
You need to be logged in to leave comments. Login now