search

ethyca / fides

The Privacy Engineering & Compliance Framework
https://ethyca.com/docs
Apache License 2.0
359 stars 72 forks source link

Missing Validation In Messaging Configuration Inputs #3065

Open RobertKeyser opened 1 year ago

RobertKeyser commented 1 year ago

Bug Description

The input for the details of Messaging config does not validate input. For example, the following payloads to /api/v1/messaging/default are not validated and are allowed to be submitted:

mailgun - an invalid domain name may be passed

{
    "service_type": "mailgun",
    "details": {
        "domain": "this is an invalid domain" 
    }
}

sendgrid - an invalid email (here, just a domain name without an address) may be passed.

{
    "service_type": "twilio_email",
    "details": {
        "twilio_email_from": "example.com"
    }
}

Steps to Reproduce

  1. Launch an instance of Fides
  2. Try to create a twilio_email messaging configuration, but pass in a domain name instead of an email address
  3. Send a test email and receive an error

Expected behavior

Instead of creating the resource, the Fides webserver should return a 400 error.

Screenshots

If applicable, add screenshots to help explain your problem.

Environment

Additional context

I discovered this issue when I accidentally passed a domain name to the twilio_email_from field instead of an email. Fides allowed the input and then when I went to send a test email, I received the following error: There was an error sending the test message: Email failed to send due to: HTTP Error 400: Bad Request. The subsequent error message appears to be caused by passing an invalid from email to Sendgrid.

rsilvery commented 1 year ago

@Roger-Ethyca can we confirm if this is still an issue? Will file a bug in PROD if so.