Fix CodeQL Alert for SSRF #2197

umar8hassan · 2024-05-28T13:14:31Z

What are the relevant tickets?

closes #2175 and closes #2172

Description (What does it do?)

Limited the use of input url. Format for the subscribe url is pre-defined and only token will be used from the message.

How can this be tested?

The scope of this ticket is to test that url was formatted correctly after using the pre-defined url format

Use the RC settings for AWS_ACCOUNT_ID and AWS_REGION
Using Postman or curl, make a request to http://localhost:8043/api/transcode-jobs/ with the following data, and headers "Authorization: Bearer <settings.API_BEARER_TOKEN>" and "Content-Type: application/json":

{
 "Type": "SubscriptionConfirmation",
 "MessageId": "88b400b3-2fd3-49a3-b182-f64a4224d3e2",
 "Token": "fake-token",
 "TopicArn": "arn:aws:sns:<AWS_REGION>:<AWS_ACCOUNT_ID>:MediaConvertJobAlert",
 "Message": "To confirm the subscription, visit the SubscribeURL included in this message.",
 "SubscribeURL": "https://sns.<AWS_REGION>.amazonaws.com/?Action=ConfirmSubscription&TopicArn=arn:aws:sns:<AWS_REGION>:<AWS_ACCOUNT_ID>:MediaConvertJobAlert&Token=fake-token",
 "Timestamp": "2021-08-05T14:32:17.423Z",
 "SignatureVersion": "1",
 "Signature": "fake-signature",
 "SigningCertURL": "https://sns.<AWS_REGION>.amazonaws.com/SimpleNotificationService.pem"
}

The request should return 200 status_code. Which would indicate that url was formatted correctly.

pt2302 · 2024-05-29T13:26:47Z

Could you add a test for this functionality, i.e., making sure that the URL is properly formatted? Also, we are not currently performing validation on some of these fields, such as AWS_ACCOUNT_ID. We should do this, and throw appropriate errors if they are not valid.

videos/constants.py

videos/views_test.py

videos/exceptions.py

videos/constants.py

videos/utils_test.py

videos/utils.py

pt2302 · 2024-05-31T11:15:52Z

videos/views_test.py

@@ -7,6 +7,7 @@
 import pytest
 from django.http.response import HttpResponse
 from django.urls import reverse
+from rest_framework.status import HTTP_400_BAD_REQUEST


If we are using imports from rest_framework.status here, why would we define them as constants here:

ocw-studio/external_resources/constants.py

Lines 4 to 10 in d6d5cd1

HTTP_BAD_REQUEST = 400

HTTP_UNAUTHORIZED = 401

HTTP_PAYMENT_REQUIRED = 402

HTTP_FORBIDDEN = 403

HTTP_TOO_MANY_REQUESTS = 429

HTTP_REQUEST_TIMEOUT = 408

HTTP_SERVICE_UNAVAILABLE = 503

For consistency, I think we should make those imports from rest_framework.status as well.

Also, commit messages should ideally contain a summary of what the commit addresses, rather than a more generic message.

@pt2302 I agree with you on this. I'd have changed it if it had been in the same module and scope of work. Changing the constants and testing things again for external resources module for any breaking change, should be done in separate refactoring ticket in my opinion.

Agreed. I've opened #2198 and put up #2199 to resolve this issue.

pt2302

Looks good to me!

added predefined format for subscribe url

eef3103

umar8hassan linked an issue May 28, 2024 that may be closed by this pull request

Fix CodeQL Alert for security risk #2175

Closed

1 task

umar8hassan self-assigned this May 28, 2024

umar8hassan added the Needs Review label May 28, 2024

umar8hassan marked this pull request as ready for review May 28, 2024 13:19

added unit tests and token validation

feb4914

pt2302 self-assigned this May 30, 2024