search

canonical / ubuntu-com-security-api

The API for CVEs and USNs data.
16 stars 9 forks source link

API response not in plain text format #135

Open tsarquis88 opened 9 months ago

tsarquis88 commented 9 months ago

Summary

I'm working on an application that consumes the Canonical security API. The interaction between the application and the API was working flawlessly from various months (a year, maybe) ago until last week when the API started to respond with a binary payload.

The application is made in C++ and uses libcurl to perform the HTTP queries. And the API URL from where the content is downloaded is https://ubuntu.com/security/cves.json.

IMPORTANT: The binary payload response is not done always, but in a random way. Sometimes the payload has the expected format (JSON) and sometimes it is a binary. Anyway, if I try to download the whole security feed by performing various HTTP queries, it's very likely that one of them will receive the binary payload.

Apparently, the binary payload comes compressed in br format. In the image below, you can see the HTTP headers from the server response: At left, when the payload comes in JSON format, and at right, when the payload comes in binary format. image

If I try to decompress it with brotli, I get:

# brotli -d outputfile.br 
corrupt input [outputfile.br]

Payload example: outputfile.gz

% file outputfile 
outputfile: Applesoft BASIC program data, first line number 15

Process

n/a

Current and expected result

Expected results: Payload always in JSON format.

Current results: Binary payload received in an arbitrary way.