Page MenuHomeSoftware Heritage
Differential D7398

admin/origin_save: Do not modify unauthorized URLs list when rejecting
ClosedPublic
Actions

Authored by anlambert on Mar 21 2022, 2:21 PM.

Details

Reviewers
vlorentz
Group Reviewers
Reviewers
Commits
rDWAPPS74a5fc48c82b: admin/origin_save: Do not modify unauthorized URLs list when rejecting
Summary

When rejecting a Save Code Now request, the submitted origin URL was
automatically added to the unauthorized URLs list. But this was
prolematic as a valid URL prefix could be added in that list and
thus a valid request whose origin URL has that prefix would be
automatically rejected.

So remove the automatic adding of origin URL in unauthorized list
when rejecting a request.

Diff Detail

Repository
rDWAPPS Web applications
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

anlambert created this revision.Mar 21 2022, 2:21 PM
Herald added a reviewer: Reviewers. · View Herald TranscriptMar 21 2022, 2:21 PM
anlambert updated this revision to Diff 26737.Mar 21 2022, 2:22 PM

Update commit message.

swh-public-ci added a comment.Mar 21 2022, 2:42 PM

Build is green

Patch application report for D7398 (id=26736)

Rebasing onto f232481f96...

Current branch diff-target is up to date.
Changes applied before test
commit 2c761cbe75b6a685660f93a3e84ef4ec84e6aa56
Author: Antoine Lambert <anlambert@softwareheritage.org>
Date:   Mon Mar 21 14:15:11 2022 +0100

    admin/origin_save: Do not modify unauthorized URLs list when rejecting
    
    When rejecting a Save Code Now request, the submitted origin URL was
    automatically added to the unauthorized URLs list. But this was
    prolematic as a valid URL prefix could be added in that list and
    thus a valid request whose origin URL has that prefix would be
    automatically rejected.
    
    So remove the automatic adding of origin URL in unauthorized list
    when rejecting a request.

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/1515/ for more details.

Harbormaster completed remote builds in B27631: Diff 26736.Mar 21 2022, 2:42 PM
swh-public-ci added a comment.Mar 21 2022, 2:43 PM

Build is green

Patch application report for D7398 (id=26737)

Rebasing onto f232481f96...

Current branch diff-target is up to date.
Changes applied before test
commit 6f4052cfb4f45f1a1f2cc47c714fee77fa916b69
Author: Antoine Lambert <anlambert@softwareheritage.org>
Date:   Mon Mar 21 14:15:11 2022 +0100

    admin/origin_save: Do not modify unauthorized URLs list when rejecting
    
    When rejecting a Save Code Now request, the submitted origin URL was
    automatically added to the unauthorized URLs list. But this was
    prolematic as a valid URL prefix could be added in that list and
    thus a valid request whose origin URL has that prefix would be
    automatically rejected.
    
    So remove the automatic adding of origin URL in unauthorized list
    when rejecting a request.
    
    Also return 404 in the reject endpoint when the request does not
    exist.

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/1516/ for more details.

Harbormaster completed remote builds in B27632: Diff 26737.Mar 21 2022, 2:43 PM
anlambert requested review of this revision.Mar 21 2022, 2:43 PM
vlorentz accepted this revision.Mar 21 2022, 2:44 PM
vlorentz added a subscriber: vlorentz.

thx

This revision is now accepted and ready to land.Mar 21 2022, 2:44 PM
vlorentz requested changes to this revision.Mar 21 2022, 2:47 PM

What made the old code deal with prefixes? From what I can see, it matches on the full URL

This revision now requires changes to proceed.Mar 21 2022, 2:47 PM
anlambert added a comment.Mar 21 2022, 2:55 PM
In D7398#192597, @vlorentz wrote:

What made the old code deal with prefixes? From what I can see, it matches on the full URL

Yes but users could have submitted an origin URL prefix through the Web API endpoint for SCN.
My guess is that how we ended up having URL prefixes in the unauthorized list.

So maybe the right solution is to check the submitted origin URL is not a prefix on the backend side ?
This check is performed on the frontend side so it would make sense to also do it when SCN
requests are submitted through the API.

vlorentz accepted this revision.Mar 21 2022, 4:17 PM

Ah, I see. Alright, this will do for now, then

This revision is now accepted and ready to land.Mar 21 2022, 4:17 PM
vlorentz added a comment.Mar 21 2022, 4:18 PM

So maybe the right solution is to check the submitted origin URL is not a prefix on the backend side ?

I think so, but we also should not add prefixes automatically. (Adding specific URLs+types automatically is fine though, it avoids refusing the same origin over and over)

anlambert updated this revision to Diff 26750.Mar 22 2022, 10:54 AM

Rebase

swh-public-ci added a comment.Mar 22 2022, 11:14 AM

Build is green

Patch application report for D7398 (id=26750)

Rebasing onto 60666aa2d1...

Current branch diff-target is up to date.
Changes applied before test
commit 90f25e245864495cbc09ddc054ed1bf9cafeffeb
Author: Antoine Lambert <anlambert@softwareheritage.org>
Date:   Mon Mar 21 14:15:11 2022 +0100

    admin/origin_save: Do not modify unauthorized URLs list when rejecting
    
    When rejecting a Save Code Now request, the submitted origin URL was
    automatically added to the unauthorized URLs list. But this was
    prolematic as a valid URL prefix could be added in that list and
    thus a valid request whose origin URL has that prefix would be
    automatically rejected.
    
    So remove the automatic adding of origin URL in unauthorized list
    when rejecting a request.
    
    Also return 404 in the reject endpoint when the request does not
    exist.

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/1523/ for more details.

Harbormaster completed remote builds in B27645: Diff 26750.Mar 22 2022, 11:14 AM
anlambert updated this revision to Diff 26768.Mar 22 2022, 3:04 PM

Rebase and address some @vlorentz comments

anlambert updated this revision to Diff 26769.Mar 22 2022, 3:05 PM

Rebase

swh-public-ci added a comment.Mar 22 2022, 3:26 PM

Build is green

Patch application report for D7398 (id=26768)

Rebasing onto ac5e79103c...

Current branch diff-target is up to date.
Changes applied before test
commit 4b6f0654969a983a03d63a78445ee600cbb8c7ba
Author: Antoine Lambert <anlambert@softwareheritage.org>
Date:   Thu Feb 3 13:49:19 2022 +0100

    admin: Add mailmaps administration Web UI
    
    Add a new administration view to manage the mailmaps in the
    archive.
    
    The view allows to add new mailmaps or update existing ones.
    
    It requires a special user permission "swh.web.admin.mailmap"
    to be used.
    
    Only mailmaps created by users with that permission will be
    displayed in that view.

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/1531/ for more details.

Harbormaster completed remote builds in B27689: Diff 26768.Mar 22 2022, 3:26 PM
swh-public-ci added a comment.Mar 22 2022, 3:27 PM

Build is green

Patch application report for D7398 (id=26769)

Rebasing onto ac5e79103c...

Current branch diff-target is up to date.
Changes applied before test
commit 36cc6f6154a242cfa1aaa77a3712bbbbe63b5690
Author: Antoine Lambert <anlambert@softwareheritage.org>
Date:   Mon Mar 21 14:15:11 2022 +0100

    admin/origin_save: Do not modify unauthorized URLs list when rejecting
    
    When rejecting a Save Code Now request, the submitted origin URL was
    automatically added to the unauthorized URLs list. But this was
    prolematic as a valid URL prefix could be added in that list and
    thus a valid request whose origin URL has that prefix would be
    automatically rejected.
    
    So remove the automatic adding of origin URL in unauthorized list
    when rejecting a request.
    
    Also return 404 in the reject endpoint when the request does not
    exist.

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/1532/ for more details.

Harbormaster completed remote builds in B27690: Diff 26769.Mar 22 2022, 3:27 PM
anlambert updated this revision to Diff 26789.Mar 22 2022, 4:17 PM

Rebase

swh-public-ci added a comment.Mar 22 2022, 4:36 PM

Build is green

Patch application report for D7398 (id=26789)

Rebasing onto d6605c7a7e...

Current branch diff-target is up to date.
Changes applied before test
commit 74a5fc48c82b0c144f752189ab83094c45f14d8e
Author: Antoine Lambert <anlambert@softwareheritage.org>
Date:   Mon Mar 21 14:15:11 2022 +0100

    admin/origin_save: Do not modify unauthorized URLs list when rejecting
    
    When rejecting a Save Code Now request, the submitted origin URL was
    automatically added to the unauthorized URLs list. But this was
    prolematic as a valid URL prefix could be added in that list and
    thus a valid request whose origin URL has that prefix would be
    automatically rejected.
    
    So remove the automatic adding of origin URL in unauthorized list
    when rejecting a request.
    
    Also return 404 in the reject endpoint when the request does not
    exist.

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/1537/ for more details.

Harbormaster completed remote builds in B27710: Diff 26789.Mar 22 2022, 4:36 PM
Closed by commit rDWAPPS74a5fc48c82b: admin/origin_save: Do not modify unauthorized URLs list when rejecting (authored by anlambert). · Explain WhyMar 22 2022, 4:43 PM
This revision was automatically updated to reflect the committed changes.
anlambert added a commit: rDWAPPS74a5fc48c82b: admin/origin_save: Do not modify unauthorized URLs list when rejecting.

Revision Contents
Changeset List

PathSize
swh/
web/
admin/
20 lines
tests/
admin/
14 lines

Diff 26791

View Options

swh/web/admin/origin_save.py

Loading...
View Options

swh/web/tests/admin/test_origin_save.py

Loading...
About · Developer information · Legal