Server should not have let user store float value

[leplatrem]

The data below was posted successfully on the server, whereas the server should have rejected it because it contains a float value (see lineHeight: 1.25).

We know that our javascript canonicaljson implementation does not serialize floats the same way as our Rust one, and that's why we have a Pyramid listener that should prevent users to post float values.

{"permissions":{},"data":{"slug":"covered-regular-eco2204","appId":"firefox-desktop","appName":"firefox_desktop","channel":"release","endDate":null,"branches":[{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"id":"covered-regular-eco2204:control","groups":["eco"],"content":{"id":"covered-regular-eco2204:control","screens":[{"id":"PIN","content":{"logo":{"height":"125px","imageURL":"chrome://activity-stream/content/data/content/assets/remote/umbrella.png"},"title":{"fontSize":"32px","string_id":"spotlight-peace-mind-header","fontWeight":400,"letterSpacing":"-.01em"},"subtitle":{"raw":"Every month, Firefox blocks an average of 3,000+ trackers per user. Because nothing, especially privacy nuisances, should stand between you and the good internet.","fontSize":"13px","lineHeight":1.25,"marginBlock":"4px 12px","letterSpacing":0,"paddingInline":"12px"},"title_style":"fancy slim","primary_button":{"label":{"string_id":"fx100-thank-you-pin-primary-button-label","paddingBlock":"8px"},"action":{"type":"PIN_FIREFOX_TO_TASKBAR","navigate":true}},"secondary_button":{"label":{"string_id":"mr1-onboarding-set-default-secondary-button-label","marginBlock":"-4px -28px"},"action":{"navigate":true}}}}],"backdrop":"transparent","template":"multistage","transitions":true},"trigger":{"id":"defaultBrowserCheck"},"priority":1,"template":"spotlight","frequency":{"lifetime":1},"targeting":"source == 'startup' && !isMajorUpgrade && !activeNotifications"},"enabled":true,"featureId":"spotlight"}]},{"slug":"treatment-a","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"id":"covered-regular-eco2204:treatment-a","groups":["eco"],"content":{"id":"covered-regular-eco2204:treatment-a","screens":[{"id":"PIN","content":{"logo":{"height":"125px","imageURL":""},"title":{"fontSize":"32px","string_id":"spotlight-peace-mind-header","fontWeight":400,"letterSpacing":"-.01em"},"subtitle":{"raw":"Every month, Firefox blocks an average of 3,000+ trackers per user. Because nothing, especially privacy nuisances, should stand between you and the good internet.","fontSize":"13px","lineHeight":1.25,"marginBlock":"4px 12px","letterSpacing":0,"paddingInline":"12px"},"background":"url(https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/db41ce36-30a3-482b-8235-824ee1c63108.avif) top/contain no-repeat var(--in-content-page-background)","title_style":"fancy slim","primary_button":{"label":{"string_id":"fx100-thank-you-pin-primary-button-label","paddingBlock":"8px"},"action":{"type":"PIN_FIREFOX_TO_TASKBAR","navigate":true}},"secondary_button":{"label":{"string_id":"mr1-onboarding-set-default-secondary-button-label","marginBlock":"-4px -28px"},"action":{"navigate":true}}}}],"backdrop":"transparent","template":"multistage","transitions":true},"trigger":{"id":"defaultBrowserCheck"},"priority":1,"template":"spotlight","frequency":{"lifetime":1},"targeting":"source == 'startup' && !isMajorUpgrade && !activeNotifications"},"enabled":true,"featureId":"spotlight"}]},{"slug":"treatment-b","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"id":"covered-regular-eco2204:treatment-b","groups":["eco"],"content":{"id":"covered-regular-eco2204:treatment-b","screens":[{"id":"PIN","content":{"logo":{"height":"125px","imageURL":""},"title":{"fontSize":"32px","string_id":"spotlight-peace-mind-header","fontWeight":400,"letterSpacing":"-.01em"},"subtitle":{"raw":"Every month, Firefox blocks an average of 3,000+ trackers per user. Because nothing, especially privacy nuisances, should stand between you and the good internet.","fontSize":"13px","lineHeight":1.25,"marginBlock":"4px 12px","letterSpacing":0,"paddingInline":"12px"},"background":"url(https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/98e8fee5-932c-44c3-96f0-c4054cff80d7.svg) top/contain no-repeat var(--in-content-page-background)","title_style":"fancy slim","primary_button":{"label":{"string_id":"fx100-thank-you-pin-primary-button-label","paddingBlock":"8px"},"action":{"type":"PIN_FIREFOX_TO_TASKBAR","navigate":true}},"secondary_button":{"label":{"string_id":"mr1-onboarding-set-default-secondary-button-label","marginBlock":"-4px -28px"},"action":{"navigate":true}}}}],"backdrop":"transparent","template":"multistage","transitions":true},"trigger":{"id":"defaultBrowserCheck"},"priority":1,"template":"spotlight","frequency":{"lifetime":1},"targeting":"source == 'startup' && !isMajorUpgrade && !activeNotifications"},"enabled":true,"featureId":"spotlight"}]},{"slug":"treatment-c","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"id":"covered-regular-eco2204:treatment-c","groups":["eco"],"content":{"id":"covered-regular-eco2204:treatment-c","screens":[{"id":"PIN","content":{"logo":{"height":"125px","imageURL":""},"title":{"fontSize":"32px","string_id":"spotlight-peace-mind-header","fontWeight":400,"letterSpacing":"-.01em"},"subtitle":{"raw":"Every month, Firefox blocks an average of 3,000+ trackers per user. Because nothing, especially privacy nuisances, should stand between you and the good internet.","fontSize":"13px","lineHeight":1.25,"marginBlock":"4px 12px","letterSpacing":0,"paddingInline":"12px"},"background":"url(https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/aab03374-976c-4fb4-993e-3233f0554d74.svg) top/contain no-repeat var(--in-content-page-background)","title_style":"fancy slim","primary_button":{"label":{"string_id":"fx100-thank-you-pin-primary-button-label","paddingBlock":"8px"},"action":{"type":"PIN_FIREFOX_TO_TASKBAR","navigate":true}},"secondary_button":{"label":{"string_id":"mr1-onboarding-set-default-secondary-button-label","marginBlock":"-4px -28px"},"action":{"navigate":true}}}}],"backdrop":"transparent","template":"multistage","transitions":true},"trigger":{"id":"defaultBrowserCheck"},"priority":1,"template":"spotlight","frequency":{"lifetime":1},"targeting":"source == 'startup' && !isMajorUpgrade && !activeNotifications"},"enabled":true,"featureId":"spotlight"}]}],"outcomes":[],"arguments":{},"probeSets":[],"startDate":null,"targeting":"(userMonthlyActivity|length >= 14 && userMonthlyActivity|length <= 20 && (currentDate|date - profileAgeCreated|date) / 86400000 >= 28) && (browserSettings.update.channel == \"release\") && ('app.shield.optoutstudies.enabled'|preferenceValue) && (version|versionCompare('100.!') >= 0) && (locale in ['en-CA', 'en-GB', 'en-US'])","featureIds":["spotlight"],"application":"firefox-desktop","bucketConfig":{"count":4000,"start":3000,"total":10000,"namespace":"firefox-desktop-spotlight-release-5","randomizationUnit":"normandy_id"},"schemaVersion":"1.7.0","userFacingName":"Covered Regular ECO2204","referenceBranch":"control","proposedDuration":56,"isEnrollmentPaused":false,"proposedEnrollment":7,"userFacingDescription":"Testing various prompts to recommend pinning Firefox to the user's taskbar.","id":"covered-regular-eco2204","last_modified":1650906965020}}

[grahamalama]

Thinking out loud here:

• ~Why don't we accept floats? How else might a user represent "lineHeight": 1.25, or is that just a hard limitation of remote-settings? Would they use a string ("lineHeight": "1.25") instead?~ Edit: nvm! Read the docstring on the pull request and answered this question ✅
• Do we know if this was submitted with kinto-admin? If so, should we add front end validation for this as well?

[leplatrem]

Do we know if this was submitted with kinto-admin? If so, should we add front end validation for this as well?

If the server returns a 400, kinto-admin should show it nicely (more or less).

In this particular case, it was submitted from the experimenter server. I'm not sure how it shows up in their UI.