Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exception when invalid IP address #1076

Open
antoineleclair opened this issue Feb 28, 2024 · 1 comment
Open

Exception when invalid IP address #1076

antoineleclair opened this issue Feb 28, 2024 · 1 comment

Comments

@antoineleclair
Copy link

antoineleclair commented Feb 28, 2024

Description
Someone sent malformed requests to try to find vulnerabilities. Some of them raised exceptions in NewRelic's code.

Expected Behavior
Not raise an exception and let the app handle it.

Troubleshooting or NR Diag results

Here's the complete stack trace for the exception:

Traceback (most recent call last): 
  File "/app/.heroku/python/lib/python3.12/site-packages/waitress/channel.py", line 428, in service 
    task.service() 
  File "/app/.heroku/python/lib/python3.12/site-packages/waitress/task.py", line 168, in service 
    self.execute() 
  File "/app/.heroku/python/lib/python3.12/site-packages/waitress/task.py", line 434, in execute 
    app_iter = self.channel.server.application(environ, start_response) 
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
  File "/app/.heroku/python/lib/python3.12/site-packages/newrelic/api/wsgi_application.py", line 599, in _nr_wsgi_application_wrapper_ 
    transaction = WSGIWebTransaction(target_application, environ, source=wrapped) 
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
  File "/app/.heroku/python/lib/python3.12/site-packages/newrelic/api/web_transaction.py", line 692, in __init__ 
    self._request_uri = urlparse.urlparse(self._request_uri)[2] 
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
  File "/app/.heroku/python/lib/python3.12/urllib/parse.py", line 395, in urlparse 
    splitresult = urlsplit(url, scheme, allow_fragments) 
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
  File "/app/.heroku/python/lib/python3.12/urllib/parse.py", line 500, in urlsplit 
    _check_bracketed_host(bracketed_host) 
  File "/app/.heroku/python/lib/python3.12/urllib/parse.py", line 446, in _check_bracketed_host 
    ip = ipaddress.ip_address(hostname) # Throws Value Error if not IPv6 or IPv4 
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
  File "/app/.heroku/python/lib/python3.12/ipaddress.py", line 54, in ip_address 
    raise ValueError(f'{address!r} does not appear to be an IPv4 or IPv6 address') 
ValueError: "'xwork.MethodAccessor.denyMethodExecution'" does not appear to be an IPv4 or IPv6 address 

It's probably irrelevant, but the HTTP request was

GET //${#context['xwork.MethodAccessor.denyMethodExecution']=!(#_memberAccess['allowStaticMethodAccess']=true),(@java.lang.Runtime@getRuntime()).exec('ipconfig').waitFor()}.action

The stack trace seems to point to this line:

self._request_uri = urlparse.urlparse(self._request_uri)[2]

As I mentioned above, the request was malformed intentionally by an attacker. It looks like they sent "'xwork.MethodAccessor.denyMethodExecution'" for the IP address and it crashed when NewRelic tried to parse it.

Steps to Reproduce
I'm not sure how to forge a request like this and/or where that fake IP address is taken from, but it would probably reproduce the issue.

Your Environment
It's a Python web app, with the Pyramid web framework, running with Waitress (HTTP server) on Heroku, behind Fastly. Python 3.12.1.

We run the app with newrelic-admin run-program python path/to/app.py.

@antoineleclair
Copy link
Author

I just wanted to mention that this is still an issue. Someone forging a request just triggered the error again. We're currently on Python 3.12.3, with NewRelic 9.10.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant