Stackdump accessing API endpoints

systemcrash commented 4 years ago

Homer-app = 7.7.034

May be safe to ignore this, but I am trying weird queries (read: probably invalid) to different endpoints. Here it was: /api/v3/search/call/message - with {"timestamp":{"from":1592424637000,"to":1592435437000},"param":{"search":{"5_default":{"callid":["asdf"],"uuid":[]}},"location":{},"transaction":{"call":true,"registration":false,"rest":false},"id":{},"timezone":{"value":-120,"name":"Local"}}}

Evidently search expects GetMessageByID and not by callid 🤕

echo: http: panic serving 172.16.16.1:45300: interface conversion: interface {} is nil, not float64
goroutine 424 [running]:
net/http.(*conn).serve.func1(0xc0001fe280)
    /usr/local/go/src/net/http/server.go:1772 +0x139
panic(0xcb2480, 0xc00050bd70)
    /usr/local/go/src/runtime/panic.go:975 +0x3e3
github.com/sipcapture/homer-app/data/service.(*SearchService).GetMessageByID(0xc0000a9a90, 0xc00010f920, 0xc00010f920, 0x0, 0x0, 0xc00050bcb0)
    /homer-app/data/service/search.go:510 +0x14cf
github.com/sipcapture/homer-app/controller/v1.(*SearchController).GetMessageById(0xc000099220, 0xf29ec0, 0xc00050bcb0, 0xc00050bcb0, 0xd90a80)
    /homer-app/controller/v1/search.go:105 +0xa5
github.com/sipcapture/homer-app/auth.MiddlewareRes.func1(0xf29d00, 0xc00020e3f0, 0x4, 0xcade80)
    /homer-app/auth/middleware.go:24 +0x1eb
github.com/labstack/echo/v4/middleware.JWTWithConfig.func2.1(0xf29d00, 0xc00020e3f0, 0xc00007a545, 0xda1ba4)
    /go/pkg/mod/github.com/labstack/echo/v4@v4.0.0/middleware/jwt.go:181 +0x2ff
github.com/labstack/echo/v4.(*Echo).Add.func1(0xf29d00, 0xc00020e3f0, 0xd09e01, 0xc000464a01)
    /go/pkg/mod/github.com/labstack/echo/v4@v4.0.0/echo.go:490 +0x8a
github.com/labstack/echo/v4/middleware.GzipWithConfig.func1.1(0xf29d00, 0xc00020e3f0, 0x0, 0x0)
    /go/pkg/mod/github.com/labstack/echo/v4@v4.0.0/middleware/compress.go:64 +0x58f
github.com/labstack/echo/v4/middleware.StaticWithConfig.func1.1(0xf29d00, 0xc00020e3f0, 0xdc04c9, 0x1b)
    /go/pkg/mod/github.com/labstack/echo/v4@v4.0.0/middleware/static.go:169 +0x2b9
github.com/labstack/echo/v4/middleware.CORSWithConfig.func1.1(0xf29d00, 0xc00020e3f0, 0x4, 0xc00007a545)
    /go/pkg/mod/github.com/labstack/echo/v4@v4.0.0/middleware/cors.go:117 +0x407
github.com/labstack/echo/v4.(*Echo).ServeHTTP.func1(0xf29d00, 0xc00020e3f0, 0xc000103b01, 0x849d5d)
    /go/pkg/mod/github.com/labstack/echo/v4@v4.0.0/echo.go:585 +0x108
github.com/labstack/echo/v4/middleware.RewriteWithConfig.func1.1(0xf29d00, 0xc00020e3f0, 0xc00020e3f0, 0x1c918ad3)
    /go/pkg/mod/github.com/labstack/echo/v4@v4.0.0/middleware/rewrite.go:68 +0x1ff
github.com/labstack/echo/v4.(*Echo).ServeHTTP(0xc00000a1e0, 0xf0e700, 0xc0001d82a0, 0xc00013a400)
    /go/pkg/mod/github.com/labstack/echo/v4@v4.0.0/echo.go:593 +0x222
net/http.serverHandler.ServeHTTP(0xc000110000, 0xf0e700, 0xc0001d82a0, 0xc00013a400)
    /usr/local/go/src/net/http/server.go:2807 +0xa3
net/http.(*conn).serve(0xc0001fe280, 0xf11740, 0xc000138340)
    /usr/local/go/src/net/http/server.go:1895 +0x86c
created by net/http.(*Server).Serve
    /usr/local/go/src/net/http/server.go:2933 +0x35c

adubovikov commented 4 years ago

5_default - you try access RTCP data. Is it what you tried ?

systemcrash commented 4 years ago

If that's what it says in the query data above, yes.

adubovikov commented 3 years ago

any feedback here ?

systemcrash commented 3 years ago

From whom? Looks like a good DoS if I can crash the binary. Not tried this recently.

lmangani commented 3 years ago

If you can reproduce this with the current release, please feel free to reopen anytime. Thanks!

systemcrash commented 3 years ago

Here you go:

homer-webapp      | 2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeSuccessful ping: 192.0.2.1, Type: data, Node: LocalNodeecho: http: panic serving 172.16.16.1:43290: interface conversion: interface {} is nil, not float64
homer-webapp      | goroutine 2385 [running]:
homer-webapp      | net/http.(*conn).serve.func1(0xc000362000)
homer-webapp      |     /usr/local/go/src/net/http/server.go:1801 +0x147
homer-webapp      | panic(0xd94140, 0xc0005348a0)
homer-webapp      |     /usr/local/go/src/runtime/panic.go:975 +0x47a
homer-webapp      | github.com/sipcapture/homer-app/data/service.(*SearchService).GetMessageByID(0xc00043a230, 0xc00051a380, 0xc00051a380, 0x0, 0x0, 0x40)
homer-webapp      |     /homer-app/data/service/search.go:583 +0x14f5
homer-webapp      | github.com/sipcapture/homer-app/controller/v1.(*SearchController).GetMessageById(0xc0005490e0, 0xfead20, 0xc00046a540, 0xc00046a540, 0xe7d0e0)
homer-webapp      |     /homer-app/controller/v1/search.go:132 +0xa7
homer-webapp      | github.com/sipcapture/homer-app/auth.MiddlewareRes.func1(0xfeab40, 0xc000404460, 0x4, 0xd8f8c0)
homer-webapp      |     /homer-app/auth/middleware.go:25 +0x22b
homer-webapp      | github.com/labstack/echo/v4/middleware.JWTWithConfig.func1.1(0xfeab40, 0xc000404460, 0x2, 0x2)
homer-webapp      |     /go/pkg/mod/github.com/labstack/echo/v4@v4.5.0/middleware/jwt.go:238 +0x40d
homer-webapp      | github.com/labstack/echo/v4.(*Echo).add.func1(0xfeab40, 0xc000404460, 0x1, 0x0)
homer-webapp      |     /go/pkg/mod/github.com/labstack/echo/v4@v4.5.0/echo.go:544 +0x62
homer-webapp      | github.com/labstack/echo/v4/middleware.GzipWithConfig.func1.1(0xfeab40, 0xc000404460, 0x0, 0x0)
homer-webapp      |     /go/pkg/mod/github.com/labstack/echo/v4@v4.5.0/middleware/compress.go:67 +0x735
homer-webapp      | github.com/labstack/echo/v4/middleware.StaticWithConfig.func1.1(0xfeab40, 0xc000404460, 0xfc34e0, 0xc000534270)
homer-webapp      |     /go/pkg/mod/github.com/labstack/echo/v4@v4.5.0/middleware/static.go:195 +0x798
homer-webapp      | main.GrafanaHeader.func1(0xfeab40, 0xc000404460, 0x0, 0x0)
homer-webapp      |     /homer-app/main.go:1562 +0x93
homer-webapp      | github.com/labstack/echo/v4/middleware.CORSWithConfig.func1.1(0xfeab40, 0xc000404460, 0x4, 0x4)
homer-webapp      |     /go/pkg/mod/github.com/labstack/echo/v4@v4.5.0/middleware/cors.go:118 +0x15a9
homer-webapp      | github.com/labstack/echo/v4.(*Echo).ServeHTTP.func1(0xfeab40, 0xc000404460, 0x89fe01, 0xc00018c0a0)
homer-webapp      |     /go/pkg/mod/github.com/labstack/echo/v4@v4.5.0/echo.go:648 +0x115
homer-webapp      | github.com/labstack/echo/v4/middleware.RewriteWithConfig.func1.1(0xfeab40, 0xc000404460, 0x1, 0x1)
homer-webapp      |     /go/pkg/mod/github.com/labstack/echo/v4@v4.5.0/middleware/rewrite.go:72 +0x102
homer-webapp      | github.com/labstack/echo/v4.(*Echo).ServeHTTP(0xc000444240, 0xfd3ce0, 0xc0001d8460, 0xc000510100)
homer-webapp      |     /go/pkg/mod/github.com/labstack/echo/v4@v4.5.0/echo.go:654 +0x182
homer-webapp      | net/http.serverHandler.ServeHTTP(0xc0001d80e0, 0xfd3ce0, 0xc0001d8460, 0xc000510100)
homer-webapp      |     /usr/local/go/src/net/http/server.go:2843 +0xa3
homer-webapp      | net/http.(*conn).serve(0xc000362000, 0xfd6be0, 0xc00046a280)
homer-webapp      |     /usr/local/go/src/net/http/server.go:1925 +0x8ad
homer-webapp      | created by net/http.(*Server).Serve
homer-webapp      |     /usr/local/go/src/net/http/server.go:2969 +0x36c

For the lazy:

log in to Homer.
get the jwt (Authorization: Bearer content)

send with curl e.g.

curl -v -s -H "Content-Type: application/json" -H "Authorization: Bearer <jwt>" -X POST "http://<myhost>/api/v3/search/call/message" -d ' {"timestamp":{"from":1592424637000,"to":1592435437000},"param":{"search":{"5_default":{"callid":["asdf"],"uuid":[]}},"location":{},"transaction":{"call":true,"registration":false,"rest":false},"id":{},"timezone":{"value":-120,"name":"Local"}}}'

lmangani commented 3 years ago

Reopening. Never has a username been more appropriate @systemcrash :)

adubovikov commented 3 years ago

so, I have added check for id, but this is more cosmetic fix, because this is not make the app down, this is just catch exception.

anyway, here is the fix:
https://github.com/sipcapture/homer-app/commit/a840c87fd4eb5fda05e2f58ceaa459226a3827cc

sipcapture / homer-app

Stackdump accessing API endpoints #364