Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

validate_x_trusted_proxy_header raises error if value has non-hex number #453

Open
chrismeyersfsu opened this issue Jun 11, 2024 · 1 comment · May be fixed by #454
Open

validate_x_trusted_proxy_header raises error if value has non-hex number #453

chrismeyersfsu opened this issue Jun 11, 2024 · 1 comment · May be fixed by #454
Labels
api API related item app:lib bug Something isn't working

Comments

@chrismeyersfsu
Copy link
Member

chrismeyersfsu commented Jun 11, 2024
edited
Loading

Bug Summary

Steps to recreate

  • Make a GET request w/ the header x_trusted_proxy set to a value that is malformed i.e. foo-bar

Expected

Not to get a 500

Actual

500

  File "/awx_devel/awx/api/generics.py", line 164, in initialize_request
    if validate_x_trusted_proxy_header(request.META['HTTP_X_TRUSTED_PROXY']):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/awx/venv/awx/lib64/python3.11/site-packages/ansible_base/jwt_consumer/common/util.py", line 43, in validate_x_trusted_proxy_header
    bytes.fromhex(signature),
    ^^^^^^^^^^^^^^^^^^^^^^^^
ValueError: non-hexadecimal number found in fromhex() arg at position 2

More info

django-ansible-base/ansible_base/jwt_consumer/common/util.py

Line 43 in 01c7f98

bytes.fromhex(signature),

@chrismeyersfsu chrismeyersfsu linked a pull request Jun 11, 2024 that will close this issue
Open
@AlanCoding
Copy link
Member

So with the linked fix, this is expected to issue a log instead of returning a 500 error.

What is the behavior expectation for the request? The return False means that the header is "not validated". Where is this used from?

django-ansible-base/ansible_base/lib/utils/requests.py

Lines 32 to 34 in b96b107

if validate_x_trusted_proxy_header(request.META['HTTP_X_TRUSTED_PROXY']):
headers.insert(0, 'HTTP_X_FORWARDED_FOR')
headers.insert(0, 'HTTP_X_ENVOY_EXTERNAL_ADDRESS')

So these headers won't get added when the signature isn't valid...

@AlanCoding AlanCoding added api API related item app:lib bug Something isn't working labels Jun 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api API related item app:lib bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Hold] More robust trust proxy header handling chrismeyersfsu/django-ansible-base
2 participants
@chrismeyersfsu @AlanCoding