Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protect hook endpoints against SSRF attacks #2596

Merged
merged 2 commits into from
Apr 1, 2020
Merged

Protect hook endpoints against SSRF attacks #2596

merged 2 commits into from
Apr 1, 2020

Conversation

noliveleger
Copy link
Contributor

@noliveleger noliveleger commented Mar 12, 2020
edited
Loading

@noliveleger noliveleger changed the base branch from master to two-databases March 12, 2020 20:59
@noliveleger noliveleger requested a review from jnm March 12, 2020 20:59
@noliveleger noliveleger changed the title Kobotoolbox/tasks#341 ssrf protection Protect hook endpoints against SSRF attacks Mar 12, 2020
@noliveleger noliveleger mentioned this pull request Mar 12, 2020
Merged
jnm
jnm reviewed Apr 1, 2020
View reviewed changes
kobo/apps/hook/models/service_definition_interface.py
@@ -113,7 +116,15 @@ def send(self):
text = response.text
status_code = response.status_code
self.save_log(status_code, text)

except SSRFProtectException as e:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I should've brought this up way back in #1864, but these very large try blocks and catch-call except Exception as e handlers should be refactored at some point. In this send() method, for example, I think the only calls that should be inside trys are:

  • SSRFProtect.validate(self._hook.endpoint)
  • response.raise_for_status()

I'm not sure why except Exception as e is better than letting the exception fall through to Sentry. Maybe I'm forgetting something.

@jnm jnm mentioned this pull request Apr 1, 2020
Open
@jnm jnm merged commit 8576995 into two-databases Apr 1, 2020
@jnm jnm deleted the kobotoolbox/tasks#341-ssrf-protection branch April 1, 2020 20:40
@jnm jnm mentioned this pull request Apr 16, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jnm jnm jnm left review comments

Assignees

@jnm jnm

Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@noliveleger @jnm