search

newrelic / newrelic-python-agent

New Relic Python Agent
https://docs.newrelic.com/docs/agents/python-agent
Apache License 2.0
176 stars 99 forks source link

Exception when invalid IP address #1076

Open antoineleclair opened 7 months ago

antoineleclair commented 7 months ago

Description Someone sent malformed requests to try to find vulnerabilities. Some of them raised exceptions in NewRelic's code.

Expected Behavior Not raise an exception and let the app handle it.

Troubleshooting or NR Diag results

Here's the complete stack trace for the exception:

Traceback (most recent call last): 
  File "/app/.heroku/python/lib/python3.12/site-packages/waitress/channel.py", line 428, in service 
    task.service() 
  File "/app/.heroku/python/lib/python3.12/site-packages/waitress/task.py", line 168, in service 
    self.execute() 
  File "/app/.heroku/python/lib/python3.12/site-packages/waitress/task.py", line 434, in execute 
    app_iter = self.channel.server.application(environ, start_response) 
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
  File "/app/.heroku/python/lib/python3.12/site-packages/newrelic/api/wsgi_application.py", line 599, in _nr_wsgi_application_wrapper_ 
    transaction = WSGIWebTransaction(target_application, environ, source=wrapped) 
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
  File "/app/.heroku/python/lib/python3.12/site-packages/newrelic/api/web_transaction.py", line 692, in __init__ 
    self._request_uri = urlparse.urlparse(self._request_uri)[2] 
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
  File "/app/.heroku/python/lib/python3.12/urllib/parse.py", line 395, in urlparse 
    splitresult = urlsplit(url, scheme, allow_fragments) 
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
  File "/app/.heroku/python/lib/python3.12/urllib/parse.py", line 500, in urlsplit 
    _check_bracketed_host(bracketed_host) 
  File "/app/.heroku/python/lib/python3.12/urllib/parse.py", line 446, in _check_bracketed_host 
    ip = ipaddress.ip_address(hostname) # Throws Value Error if not IPv6 or IPv4 
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
  File "/app/.heroku/python/lib/python3.12/ipaddress.py", line 54, in ip_address 
    raise ValueError(f'{address!r} does not appear to be an IPv4 or IPv6 address') 
ValueError: "'xwork.MethodAccessor.denyMethodExecution'" does not appear to be an IPv4 or IPv6 address

It's probably irrelevant, but the HTTP request was 

GET //${#context['xwork.MethodAccessor.denyMethodExecution']=!(#_memberAccess['allowStaticMethodAccess']=true),(@java.lang.Runtime@getRuntime()).exec('ipconfig').waitFor()}.action

The stack trace seems to point to this line: https://github.com/newrelic/newrelic-python-agent/blob/56fbda161ec68c63c80755caf2ff5ed1ddd84819/newrelic/api/web_transaction.py#L692

As I mentioned above, the request was malformed intentionally by an attacker. It looks like they sent "'xwork.MethodAccessor.denyMethodExecution'" for the IP address and it crashed when NewRelic tried to parse it.

Steps to Reproduce I'm not sure how to forge a request like this and/or where that fake IP address is taken from, but it would probably reproduce the issue.

Your Environment It's a Python web app, with the Pyramid web framework, running with Waitress (HTTP server) on Heroku, behind Fastly. Python 3.12.1.

We run the app with newrelic-admin run-program python path/to/app.py.

antoineleclair commented 3 months ago

I just wanted to mention that this is still an issue. Someone forging a request just triggered the error again. We're currently on Python 3.12.3, with NewRelic 9.10.0.