Parse malformed requests properly #8190

paulmueller · 2024-04-17T21:14:55Z

CKAN version

2.10.4

Describe the bug

Somebody or something is occasionally flooding my CKAN instance with malformed GET requests. These sometimes cause a 500 internal server error.

Steps to reproduce

Click one of these links:

Expected behavior

The instance should return a normal error message. The malformed query should be parsed correctly.

Additional details

In the UWSGI logs, you will see something like this:

Traceback (most recent call last):
  File "/usr/lib/ckan/default/lib/python3.8/site-packages/flask/app.py", line 1516, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/lib/ckan/default/lib/python3.8/site-packages/flask/app.py", line 1502, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
  File "/usr/lib/ckan/default/src/ckan/ckan/config/middleware/../../views/group.py", line 174, in index
    global_results = _action(u'group_list')(context,
  File "/usr/lib/ckan/default/src/ckan/ckan/logic/__init__.py", line 580, in wrapped
    result = _action(context, data_dict, **kw)
  File "/usr/lib/ckan/default/src/ckan/ckan/logic/action/get.py", line 561, in organization_list
    return _group_or_org_list(context, data_dict, is_org=True)
  File "/usr/lib/ckan/default/src/ckan/ckan/logic/action/get.py", line 430, in _group_or_org_list
    groups = query.all()
  File "/usr/lib/ckan/default/lib/python3.8/site-packages/sqlalchemy/orm/query.py", line 2772, in all
    return self._iter().all()
  File "/usr/lib/ckan/default/lib/python3.8/site-packages/sqlalchemy/orm/query.py", line 2907, in _iter
    result = self.session.execute(
  File "/usr/lib/ckan/default/lib/python3.8/site-packages/sqlalchemy/orm/session.py", line 1712, in execute
    result = conn._execute_20(statement, params or {}, execution_options)
  File "/usr/lib/ckan/default/lib/python3.8/site-packages/sqlalchemy/engine/base.py", line 1705, in _execute_20
    return meth(self, args_10style, kwargs_10style, execution_options)
  File "/usr/lib/ckan/default/lib/python3.8/site-packages/sqlalchemy/sql/elements.py", line 333, in _execute_on_connection
    return connection._execute_clauseelement(
  File "/usr/lib/ckan/default/lib/python3.8/site-packages/sqlalchemy/engine/base.py", line 1572, in _execute_clauseelement
    ret = self._execute_context(
  File "/usr/lib/ckan/default/lib/python3.8/site-packages/sqlalchemy/engine/base.py", line 1943, in _execute_context
    self._handle_dbapi_exception(
  File "/usr/lib/ckan/default/lib/python3.8/site-packages/sqlalchemy/engine/base.py", line 2128, in _handle_dbapi_exception
    util.raise_(exc_info[1], with_traceback=exc_info[2])
  File "/usr/lib/ckan/default/lib/python3.8/site-packages/sqlalchemy/util/compat.py", line 208, in raise_
    raise exception
  File "/usr/lib/ckan/default/lib/python3.8/site-packages/sqlalchemy/engine/base.py", line 1900, in _execute_context
    self.dialect.do_execute(
  File "/usr/lib/ckan/default/lib/python3.8/site-packages/sqlalchemy/engine/default.py", line 736, in do_execute
    cursor.execute(statement, parameters)
ValueError: A string literal cannot contain NUL (0x00) characters.

These are only a few examples. There are more of these that result in e.g. AttributeErrors as well. What I think is missing is some kind of validator for the search query.

The text was updated successfully, but these errors were encountered:

wardi added the Good for Contribution label Apr 18, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Parse malformed requests properly #8190

Parse malformed requests properly #8190

paulmueller commented Apr 17, 2024 •

edited

Parse malformed requests properly #8190

Parse malformed requests properly #8190

Comments

paulmueller commented Apr 17, 2024 • edited

CKAN version

Describe the bug

Steps to reproduce

Expected behavior

Additional details

paulmueller commented Apr 17, 2024 •

edited