Closed kkocel closed 2 years ago
Could you elaborate more about cases where the incoming Alexa Request cannot be Deserialized?
Could you elaborate more about cases where the incoming Alexa Request cannot be Deserialized?
@doiron We are participating in private beta and we deal with requests that are not present in model package
After syncing with the team we decided not to go ahead with this solution as it does validate that the request is in-fact a RequestEnvelope. This add extra layers of protection and will deny requests that have extra ( potentially malicious ) json parameters.
Could you elaborate more about cases where the incoming Alexa Request cannot be Deserialized?
@doiron We are participating in private beta and we deal with requests that are not present in model package
In this case, you would need to have the updated SDK that adds the Beta feature support. Otherwise the skill should not be accepting the request.
@doiron
After syncing with the team we decided not to go ahead with this solution as it does validate that the request is in-fact a RequestEnvelope. This add extra layers of protection and will deny requests that have extra ( potentially malicious ) json parameters.
There are two types of vaildators in the SDK - one that validates request signature and the one that validates the timestamp. Both are used to validate the request. So there is no possibility to pass a request that is malicious (unless there is a request signed by Amazon that is malicious).
Even if the request has extra json parameters they will be discarded by Jackson deserialization - because Jackson deserializes json into a well defined Java object.
Having this knowledge maybe team can reconsider?
Could you elaborate more about cases where the incoming Alexa Request cannot be Deserialized?
@doiron We are participating in private beta and we deal with requests that are not present in model package
In this case, you would need to have the updated SDK that adds the Beta feature support. Otherwise the skill should not be accepting the request.
Ok, so I would like to get the thin jar containing model package only for the beta we are participating in. We do not want uber/fat jar since dealing with it is maintainability nightmare. We will pass this request through our solution architect as well.
There are two types of validators in the SDK - one that validates request signature and the one that validates the timestamp. Both are used to validate the request. So there is no possibility to pass a request that is malicious (unless there is a request signed by Amazon that is malicious).
Even if the request has extra json parameters they will be discarded by Jackson deserialization - because Jackson deserializes json into a well defined Java object.
Having this knowledge maybe team can reconsider?
Furthermore, this change would need to:
Since this would take a while for us to prioritize and sort out, I've compiled a jar file to unblock you in the interim, let us know how that works out.
thanks again for working on this.
I left an issue for this: #326
Description
Instead of using a full request just created an essential request class that has fields that are only needed.
Motivation and Context
When an unknown request type comes to the validator it fails because it cannot be deserialized. By introducing
GenericTimestampRequest
this problem is avoided. For validation, a timestamp is only needed andGenericTimestampRequest
provides only that information.Testing
Types of changes
Checklist
License