search

freelawproject / courtlistener

A fully-searchable and accessible archive of court data including growing repositories of opinions, oral arguments, judges, judicial financial records, and federal filings.
https://www.courtlistener.com
Other
532 stars 147 forks source link

Validate court_ids on coverage_data_opinions API endpoint #4415

Closed albertisfu closed 1 week ago

albertisfu commented 1 week ago

We have a couple of related Sentry issues:

https://freelawproject.sentry.io/issues/5777983605/ https://freelawproject.sentry.io/issues/5777981537/

In these cases, the coverage API api/rest/v4/coverage/opinions/ received invalid parameters, such as:

/api/rest/v4/coverage/opinions/91d8cjrn5woy.jsp /api/rest/v4/coverage/opinions/(no court_ids) /api/rest/v4/coverage/opinions/?court_ids=1 PROCEDURE ANALYSE(EXTRACTVALUE(9859,CONCAT(0x5c,(BENCHMARK(110000000,MD5(0x7562756f))))),1)-- Someone attempted to perform SQL injection

These issues cause either the court_ids parsing to fail or the Solr request to break.

The solution should be easy as to validate the presence of court_ids and ensure their content is correct before passing them to Solr/ES.

sentry-io[bot] commented 1 week ago

Sentry Issue: COURTLISTENER-836

sentry-io[bot] commented 1 week ago

Sentry Issue: COURTLISTENER-837

mlissner commented 1 week ago

Huh. I'm going to just mark Sentry as resolved. We can ignore people messing around with our APIs, I think, unless they go wild.