Hi - Committed as obvious.
Author: Frank Ch. Eigler <f...@redhat.com> Date: Thu Feb 25 14:04:20 2021 -0500 debuginfod: filter webapi for bad keywords early Prevent some unnecessary processing of user data and keep invalid request types out of metrics. Signed-off-by: Frank Ch. Eigler <f...@redhat.com> diff --git a/debuginfod/ChangeLog b/debuginfod/ChangeLog index a66ded383a9f..98089b2d97bc 100644 --- a/debuginfod/ChangeLog +++ b/debuginfod/ChangeLog @@ -1,3 +1,8 @@ +2021-02-25 Frank Ch. Eigler <f...@redhat.com> + + * debuginfod.cxx (handler_cb): Filter webapi for bad + artifacttype keywords early for metric hygiene. + 2021-02-14 Frank Ch. Eigler <f...@redhat.com> * debuginfod.cxx (main -U): Use bsdtar unconditionally. Also map diff --git a/debuginfod/debuginfod.cxx b/debuginfod/debuginfod.cxx index 6fdaf60e6632..2aecc0494062 100644 --- a/debuginfod/debuginfod.cxx +++ b/debuginfod/debuginfod.cxx @@ -1587,6 +1587,8 @@ handle_buildid (MHD_Connection* conn, else if (artifacttype == "source") atype_code = "S"; else throw reportable_exception("invalid artifacttype"); + inc_metric("http_requests_total", "type", artifacttype); + if (atype_code == "S" && suffix == "") throw reportable_exception("invalid source suffix"); @@ -1936,7 +1938,6 @@ handler_cb (void * /*cls*/, suffix = url_copy.substr(slash3); // include the slash in the suffix } - inc_metric("http_requests_total", "type", artifacttype); // get the resulting fd so we can report its size int fd; r = handle_buildid(connection, buildid, artifacttype, suffix, &fd); diff --git a/tests/ChangeLog b/tests/ChangeLog index 889f5066d537..9444712889a6 100644 --- a/tests/ChangeLog +++ b/tests/ChangeLog @@ -1,3 +1,7 @@ +2021-02-25 Frank Ch. Eigler <f...@redhat.com> + + * run-debuginfod-find.sh: Add bad webapi artifacttype test. + 2021-02-17 Frank Ch. Eigler <f...@redhat.com> * run-debuginfod-find.sh: Tweak wait_ready() to also print -vvv log of diff --git a/tests/run-debuginfod-find.sh b/tests/run-debuginfod-find.sh index 1ae63e0ee79a..bcca61301b2b 100755 --- a/tests/run-debuginfod-find.sh +++ b/tests/run-debuginfod-find.sh @@ -493,6 +493,9 @@ curl -s http://127.0.0.1:$PORT1/metrics | grep 'scanned_bytes_total' curl -s http://127.0.0.1:$PORT2/badapi > /dev/null || true curl -s http://127.0.0.1:$PORT2/buildid/deadbeef/debuginfo > /dev/null || true +# Confirm bad artifact types are rejected without leaving trace +curl -s http://127.0.0.1:$PORT2/buildid/deadbeef/badtype > /dev/null || true +(curl -s http://127.0.0.1:$PORT2/metrics | grep 'badtype') && false ######################################################################## # Corrupt the sqlite database and get debuginfod to trip across its errors