search

Yelp / fuzz-lightyear

A pytest-inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing.
Other
205 stars 25 forks source link

Kinto returns HTTP 500 on request with big 'cache_expires' #66

Closed AlexB1986 closed 3 years ago

AlexB1986 commented 3 years ago

Steps to reproduce docker run -p 8888:8888 kinto/kinto-server

First request

POST /v1/buckets HTTP/1.1
Host: 127.0.0.1:8888
Authorization: Basic YWRtaW46czNjcjN0
Content-Type: application/json
Content-Length: 222

{"data": {"collection:schema": {}, "group:schema": {}, "record:schema": {}}, "permissions": {"collection:create": ["write_account"], "group:create": ["write_account"], "read": ["read_account"], "write": ["write_account"]}}

First response

{
    "permissions": {
        "read": [
            "read_account"
        ],
        "write": [
            "account:admin",
            "write_account"
        ],
        "collection:create": [
            "write_account"
        ],
        "group:create": [
            "write_account"
        ]
    },
    "data": {
        "collection:schema": {},
        "group:schema": {},
        "record:schema": {},
        "id": "6wjNy_Vl",
        "last_modified": 1607584226615
    }
}

Second request

POST /v1/buckets/6wjNy_Vl/collections HTTP/1.1
Host: 127.0.0.1:8888
Authorization: Basic YWRtaW46czNjcjN0
Content-Type: application/json
Content-Length: 159

{"data": {"cache_expires": 1111111111111111111111, "schema": {}}, "permissions": {"read": ["read_account"], "record:create": null, "write": ["write_account"]}}

Second response -- 500 Internal Server Error

{
    "code": 500,
    "errno": 999,
    "error": "Internal Server Error",
    "message": "A programmatic error occured, developers have been informed.",
    "info": "https://github.com/Kinto/kinto/issues/"
}
AlexB1986 commented 3 years ago

It is actually issue for https://github.com/Kinto/kinto/issues