•  
      request #13732 Get HTML garbage when Api Key is not valid
    Infos
    #13732
    Nicolas Terray (nterray)
    2019-08-20 14:30
    2019-08-07 18:04
    14138
    Details
    Get HTML garbage when Api Key is not valid

    Given the following curl command using a wrong API key, users will get HTML garbage.

    curl 'https://tuleap-web.tuleap-aio-dev.docker/uploads/frs/file/1' -H 'X-Auth-AccessKey: tlp-k1-7.2c3ba8187f202ec2a6962a972f6ebebb9f5b3278ce563b66d9e77320f65f0fd' -H 'Tus-Resumable: 1.0.0' -k \
           -H 'Upload-Offset: 0' \
           -H 'Content-Type: application/offset+octet-stream' \
           -H 'Content-Length: 12'  \
           -H 'X-Http-Method-Override: PATCH' \
           --data-binary "123456789012"


    Furthermore we get this in the codendi_syslog:

    2019-08-07T17:57:16+02:00 [4185] [error] Caught exception: invalid hex string:
    #0 /usr/share/tuleap/src/common/User/AccessKey/AccessKeySerializer.php(47): sodium_hex2bin()
    #1 /usr/share/tuleap/src/common/REST/UserManager.class.php(181): Tuleap\User\AccessKey\AccessKeySerializer->getSplitToken()
    #2 /usr/share/tuleap/src/common/REST/UserManager.class.php(150): Tuleap\REST\UserManager->getUserFromAccessKey()
    #3 /usr/share/tuleap/src/common/REST/UserManager.class.php(118): Tuleap\REST\UserManager->getUserFromTuleapRESTAuthenticationFlows()
    #4 /usr/share/tuleap/src/common/REST/RESTCurrentUserMiddleware.php(54): Tuleap\REST\UserManager->getCurrentUser()
    #5 /usr/share/tuleap/src/common/Http/Server/MiddlewareDispatcher.php(52): Tuleap\REST\RESTCurrentUserMiddleware->process()
    #6 /usr/share/tuleap/src/common/Http/Server/SessionWriteCloseMiddleware.php(35): Tuleap\Http\Server\MiddlewareDispatcher->handle()
    #7 /usr/share/tuleap/src/common/Http/Server/MiddlewareDispatcher.php(52): Tuleap\Http\Server\SessionWriteCloseMiddleware->process()
    #8 /usr/share/tuleap/src/common/Request/DispatchablePSR15Compatible.php(61): Tuleap\Http\Server\MiddlewareDispatcher->handle()
    #9 /usr/share/tuleap/src/common/Request/FrontRouter.php(222): Tuleap\Request\DispatchablePSR15Compatible->process()
    #10 /usr/share/tuleap/src/common/Request/FrontRouter.php(101): Tuleap\Request\FrontRouter->routeHandler()
    #11 /usr/share/tuleap/src/www/index.php(46): Tuleap\Request\FrontRouter->route()
    #12 {main}
    
    
    Empty
    API (SOAP|REST)
    Empty
    Empty
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2019-08-20
    Attachments
    Empty
    References

    List of items referenced by or referencing this item.

    Artifact Tracker v5

    Follow-ups

    • User avatar
      Integrated into Tuleap 11.4.99.215

      • Status changed from Under review to Closed
      • Connected artifacts
      • Close date set to 2019-08-20
    • User avatar
      Fix can be reviewed here: gerrit #15720.

      • Status changed from Verified to Under review
    • User avatar
      The "garbage" is the error page got in case of a fatal error. The error management in Tuleap needs some work but in this specific case there is no good solution to what should be returned to the user since you did not set any Accept header.

      The core issue here is that we do not check (at least not in a good enough way) if we are giving something that is a hexadecimally encoded binary string before giving it to sodium_hex2bin.

      PHP documentation would benefit from a contribution to add the fact that sodium_hex2bin can throw an exception. At the moment it is not documented and it looks the stubs for various tools are not aware of it either.

      • Status changed from New to Verified
      • Assigned to changed from None to Thomas Gerbet (tgerbet)