Project

General

Profile

Bug #8523

Unauthorized users can perform DoS attacks

Added by Evgeny Novikov about 2 months ago. Updated 5 days ago.

Status:
Closed
Priority:
Immediate
Category:
Bridge
Target version:
Start date:
10/24/2017
Due date:
10/24/2017
% Done:

100%

Estimated time:
Detected in build:
svn
Platform:
Published in build:

Description

The issue was discovered by Alexey Khoroshilov. The corresponding error description is the following:

AttributeError at /reports/coverage-light/1829813/

'AnonymousUser' object has no attribute 'extended'

Request Method:     GET
Request URL:     http://ldvstore:8998/reports/coverage-light/1829813/
Django Version:     1.11.3
Exception Type:     AttributeError
Exception Value:    

'AnonymousUser' object has no attribute 'extended'

Exception Location:     /usr/local/lib/python3.4/dist-packages/django/utils/functional.py in inner, line 239
Python Executable:     /usr/bin/python3
Python Version:     3.4.2
Python Path:    

['/var/www/bridge',
 '/usr/local/bin',
 '/usr/lib/python3.4',
 '/usr/lib/python3.4/plat-x86_64-linux-gnu',
 '/usr/lib/python3.4/lib-dynload',
 '/usr/local/lib/python3.4/dist-packages',
 '/usr/lib/python3/dist-packages']

Server time:     Пн, 23 Окт 2017 16:41:24 +0000


Related issues

Related to Klever - Feature #7174: Develop security tests for BridgeNew2016-05-05

History

#1 Updated by Vladimir Gratinskiy about 2 months ago

  • Due date set to 10/24/2017
  • Status changed from New to Resolved
  • % Done changed from 0 to 100

Fixed in fix_8523.

#2 Updated by Evgeny Novikov about 2 months ago

  • Status changed from Resolved to Closed

I merged the branch to master in commit:68ca934. In addition, I backported the fix to branch v0.2-stable since this bug can lie down production servers.

Indeed it would be great to have corresponding test cases that will try to access all possible entry points without being authorized.

#3 Updated by Evgeny Novikov 6 days ago

  • Status changed from Closed to Open

I found out another reason located almost in the same place:

[05.Dec.2017 16:18:01] Internal Server Error: /reports/ajax/get-coverage-src/
Traceback (most recent call last):
  File "/usr/local/lib/python3.5/dist-packages/django/core/handlers/exception.py", line 41, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.5/dist-packages/django/core/handlers/base.py", line 249, in _legacy_get_response
    response = self._get_response(request)
  File "/usr/local/lib/python3.5/dist-packages/django/core/handlers/base.py", line 187, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "/usr/local/lib/python3.5/dist-packages/django/core/handlers/base.py", line 185, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/var/www/klever-bridge/tools/profiling.py", line 133, in wait
    res = f(*args, **kwargs)
  File "/var/www/klever-bridge/reports/views.py", line 873, in get_coverage_src
    activate(request.user.extended.language)
  File "/usr/local/lib/python3.5/dist-packages/django/utils/functional.py", line 239, in inner
    return func(self._wrapped, *args)
AttributeError: 'AnonymousUser' object has no attribute 'extended'

#4 Updated by Vladimir Gratinskiy 5 days ago

  • Status changed from Open to Resolved

Fixed in fix_8523.

#5 Updated by Evgeny Novikov 5 days ago

  • Status changed from Resolved to Closed

I merged the branch to master in commit:fd8420e. In addition, I backported the commit to branch v0.2-stable by the same reason as for the previous bug fix.

BTW, I hope that one day we will have appropriate tests. For instance, I couldn't test the last bug fix. Moreover, it was revealed unexpectedly, since this is a post request that one can't easily generate and by unknown reasons my authorization was dropped between viewing code coverage and trying to view code coverage for another file.

Also available in: Atom PDF