Closed albertisfu closed 1 week ago
We have a couple of related Sentry issues:
https://freelawproject.sentry.io/issues/5777983605/ https://freelawproject.sentry.io/issues/5777981537/
In these cases, the coverage API api/rest/v4/coverage/opinions/ received invalid parameters, such as:
/api/rest/v4/coverage/opinions/91d8cjrn5woy.jsp /api/rest/v4/coverage/opinions/(no court_ids) /api/rest/v4/coverage/opinions/?court_ids=1 PROCEDURE ANALYSE(EXTRACTVALUE(9859,CONCAT(0x5c,(BENCHMARK(110000000,MD5(0x7562756f))))),1)-- Someone attempted to perform SQL injection
/api/rest/v4/coverage/opinions/91d8cjrn5woy.jsp
/api/rest/v4/coverage/opinions/
/api/rest/v4/coverage/opinions/?court_ids=1 PROCEDURE ANALYSE(EXTRACTVALUE(9859,CONCAT(0x5c,(BENCHMARK(110000000,MD5(0x7562756f))))),1)--
These issues cause either the court_ids parsing to fail or the Solr request to break.
court_ids
The solution should be easy as to validate the presence of court_ids and ensure their content is correct before passing them to Solr/ES.
Sentry Issue: COURTLISTENER-836
Sentry Issue: COURTLISTENER-837
Huh. I'm going to just mark Sentry as resolved. We can ignore people messing around with our APIs, I think, unless they go wild.
We have a couple of related Sentry issues:
https://freelawproject.sentry.io/issues/5777983605/ https://freelawproject.sentry.io/issues/5777981537/
In these cases, the coverage API api/rest/v4/coverage/opinions/ received invalid parameters, such as:
/api/rest/v4/coverage/opinions/91d8cjrn5woy.jsp
/api/rest/v4/coverage/opinions/
(no court_ids)/api/rest/v4/coverage/opinions/?court_ids=1 PROCEDURE ANALYSE(EXTRACTVALUE(9859,CONCAT(0x5c,(BENCHMARK(110000000,MD5(0x7562756f))))),1)--
Someone attempted to perform SQL injectionThese issues cause either the
court_ids
parsing to fail or the Solr request to break.The solution should be easy as to validate the presence of
court_ids
and ensure their content is correct before passing them to Solr/ES.