Skip to content

fix: missing Auth header returns 400 Bad Request #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 17, 2023
Merged

fix: missing Auth header returns 400 Bad Request #27

merged 1 commit into from
Mar 17, 2023

Conversation

@NewtonDer
Copy link

@NewtonDer NewtonDer commented Mar 16, 2023

Commit summary:

fix: missing Authorization header returns 400 Bad Request

Description of changes:

  • Catch KeyError and IndexError when building auth headers, and return a 400 Bad Request.
  • Upgrade to v0.3.7.

Why:

Currently, if an upstream request is missing an Authorization header, a Python stack trace is returned in the response body. This was flagged as a potential security vulnerability. Similar to the issue fixed in #26

We now catch KeyError and IndexError when building upstream request auth headers. We don't expect customers to malform a request, so we deliberately return a vague error message.

Verification:

  • Build a .whl with python -m build.
  • Verify it is commit b96eeb3
  • Install the .whl in SageMaker Studio.
  • Verify 0.3.7 is installed with pip list.
  • Make a network call to an AWS service using aws_jupyter_proxy, making sure that an Authorization header is missing.
  • Observe that a 400 Bad Request is returned.

@NewtonDer
Copy link
Author

NewtonDer commented Mar 16, 2023

@vietle-aws @danpilgrim-aws

@NewtonDer
Copy link
Author

NewtonDer commented Mar 16, 2023

@larrygao001 @declanvk please take a look

@vietle-aws
Copy link
Contributor

vietle-aws commented Mar 16, 2023

LGTM

@aws-khatria
Copy link
Contributor

aws-khatria commented Mar 17, 2023

I reviewed the previous PR associated here. It recommended logging the missing header in case of exception. Can you please incorporate the comments from previous PR?

aws-khatria
aws-khatria reviewed Mar 17, 2023
View reviewed changes
aws_jupyter_proxy/awsproxy.py Outdated
auth_header_parts[1].split("=")[1].split("/")
)
except (KeyError, IndexError):
raise HTTPError(400, message=f"Bad Request")
Copy link
Contributor

@aws-khatria aws-khatria Mar 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is "Bad Request" sufficient? Does security guideline allow you to put some specific message, like, "Malformed Authorization header"?

aws-khatria
aws-khatria reviewed Mar 17, 2023
View reviewed changes
tests/unit/test_awsproxy.py

@pytest.mark.asyncio
@patch("os.getenv")
async def test_missing_authorization_header(mock_getenv, mock_session):
Copy link
Contributor

@aws-khatria aws-khatria Mar 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about a test case for malformed authorization header?

aws-khatria
aws-khatria approved these changes Mar 17, 2023
View reviewed changes
Copy link
Contributor

@aws-khatria aws-khatria left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@amvadhia amvadhia merged commit d13cca4 into aws:master Mar 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aws-khatria aws-khatria aws-khatria approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@NewtonDer @vietle-aws @aws-khatria @amvadhia