Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Database/Table/Row not found errors echo back text from URL #2359

Closed
simonw opened this issue Jun 21, 2024 · 7 comments
Closed

Database/Table/Row not found errors echo back text from URL #2359

simonw opened this issue Jun 21, 2024 · 7 comments
Labels
minor Minor bugs (not high priority) security

Comments

@simonw
Copy link
Owner

simonw commented Jun 21, 2024

This was raised in Discord. The returned error message is escaped, so this isn't an XSS error, but it could still be used to create a confusing error message like so:

Database not found: we are facing a heavy traffic, please visit our following website www.attacker.com to learn more
@simonw simonw added minor Minor bugs (not high priority) security labels Jun 21, 2024
@simonw
Copy link
Owner Author

simonw commented Jun 21, 2024

Code at fault:

datasette/datasette/app.py

Lines 1615 to 1622 in 93534fd

async def resolve_database(self, request):
database_route = tilde_decode(request.url_vars["database"])
try:
return self.get_database(route=database_route)
except KeyError:
raise DatabaseNotFound(
"Database not found: {}".format(database_route), database_route
)

@simonw
Copy link
Owner Author

simonw commented Jun 21, 2024

I'm going to remove the reflected database name entirely:

Error just says Database not found

@simonw
Copy link
Owner Author

simonw commented Jun 21, 2024

Same bug exists for tables:

ble not found: this is bad too

@simonw
Copy link
Owner Author

simonw commented Jun 21, 2024

... and row not found too:

Error 404 Row not found: ['oeuo']

simonw added a commit that referenced this issue Jun 21, 2024
@simonw
Do not show database name in Database Not Found error, refs #2359
6268611
simonw added a commit that referenced this issue Jun 21, 2024
@simonw
Fix for TableNotFound, refs #2359
7316dd4
simonw added a commit that referenced this issue Jun 21, 2024
@simonw
Fix for RowNotFound, refs #2359
2637889
@simonw simonw changed the title Database not found error echoes back text from URL Database/Table/Row not found errors echo back text from URL Jun 21, 2024
@simonw
Copy link
Owner Author

simonw commented Jun 21, 2024

The fix for 0.64.x looks different because the code is older.

@simonw
Copy link
Owner Author

simonw commented Jun 21, 2024

Fix is deployed on latest.datasette.io now:

CleanShot 2024-06-21 at 16 20 34@2x

simonw added a commit that referenced this issue Jun 21, 2024
@simonw
Backport of #2359 for 0.64.x
7aa4bf9
simonw added a commit that referenced this issue Jun 21, 2024
@simonw
Release 0.64.8
0af9a89 
Refs #2353, #2359
@simonw
Copy link
Owner Author

simonw commented Jun 21, 2024
edited
Loading

Shipped in 0.64.8: https://docs.datasette.io/en/stable/changelog.html#v0-64-8

It's live in Datasette Lite already:

https://lite.datasette.io/#/content/this+will+not+be+displayed

@simonw simonw closed this as completed Jun 21, 2024
@simonw simonw mentioned this issue Aug 5, 2024
Closed
simonw added a commit that referenced this issue Aug 5, 2024
@simonw
Release notes for 1.0a14, refs #2381
5bd6853 
Refs #2306, #2307, #2311, #2319, #2341, #2348, #2352, #2353, #2358, #2359, #2360, #2375
simonw added a commit that referenced this issue Aug 5, 2024
@simonw
Release 1.0a14
f6bd2bf 
Refs #2306, #2307, #2311, #2319, #2341, #2348, #2352, #2353, #2358, #2359, #2360, #2375

Closes #2381
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
minor Minor bugs (not high priority) security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@simonw