Skip to content

Search: do not record invalid queries #9349

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Search: do not record invalid queries #9349

wants to merge 1 commit into from

Conversation

humitos
Copy link
Member

@humitos humitos commented Jun 17, 2022

We are generating lot of errors on Sentry because query='\x00'. This commit
skips logging those queries.

Reference: https://sentry.io/organizations/read-the-docs/issues/3066070420/?project=148442

@humitos
Search: do not record invalid queries
2d881f2 
We are generating lot of errors on Sentry because `query='\x00'`. This commit
skips logging those queries.

Reference: https://sentry.io/organizations/read-the-docs/issues/3066070420/?project=148442
@humitos humitos requested a review from a team as a code owner June 17, 2022 12:01
@humitos humitos requested a review from benjaoming June 17, 2022 12:01
@humitos humitos requested review from stsewd and removed request for benjaoming June 17, 2022 12:01
humitos added a commit that referenced this pull request Jun 17, 2022
@humitos
Security: avoid requests with NULL characters (0x00) on GET
dffaa0b 
Block requests that contain "\x00" characters on their GET attributes. Raise
`SuspiciousOperation` on these cases.

Related to #9349
humitos added a commit that referenced this pull request Jun 17, 2022
@humitos
Security: avoid requests with NULL characters (0x00) on GET
a9bea38 
Block requests that contain "\x00" characters on their GET attributes. Raise
`SuspiciousOperation` on these cases.

Related to #9349
Sentry issues: https://sentry.io/organizations/read-the-docs/issues/2941721921/?project=148442
@humitos humitos mentioned this pull request Jun 17, 2022
Merged
benjaoming
benjaoming reviewed Jun 22, 2022
View reviewed changes
readthedocs/search/tasks.py
log.bind(
project_slug=project_slug,
version_slug=version_slug,
)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The log object is for the entire module --There are also log functions in other tasks, so I wonder: couldn't this produce log messages with project_slug and version_slug in unrelated calls?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is how structulog works (https://github.com/jrobichaud/django-structlog). Every log instance is tied to each request. Take a look at https://www.structlog.org/en/stable/getting-started.html#building-ctx

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't it be log = log.bind ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that is required when running a normal Python application. However, we also have django-structlog and we are installing a middleware from there that I understand that "reset" the logger for each different thread/request: https://django-structlog.readthedocs.io/en/latest/getting_started.html

The same happens with the Celery integration we are using from the same module.

I don't remember from the top of my mind exactly how this works, but I think what I'm saying it's pretty close 😄 . I haven't seen log entries with invalid/inconsistent key/values pairs, so I'd assume it's working fine so far; but maybe we just haven't hit the issue yet.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It makes sense that it's something that this middleware would provide 👍 Thanks for a great explanation 👍

@stsewd
Copy link
Member

stsewd commented Jun 22, 2022

Shouldn't the middleware already be blocking these? The search query is passed in a get parameter.

#9350

@humitos
Copy link
Member Author

humitos commented Jun 22, 2022

Yes. I think this is not required anymore now that we have that middleware. I'm closing it. We can re-open if required.

@humitos humitos closed this Jun 22, 2022
@stsewd stsewd deleted the humitos/no-record-invalid-search-queries branch June 22, 2022 14:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benjaoming benjaoming benjaoming left review comments

@stsewd stsewd Awaiting requested review from stsewd

Assignees

@humitos humitos

Labels
None yet
Projects
📍Roadmap
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@humitos @stsewd @benjaoming