MAAS

HTTP 500 on malformed OAuth request

Bug #2002525 reported by Vladimir Grevtsev on 2023-01-11

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
MAAS	Status tracked in 3.6
3.4	Won't Fix	Low	Unassigned
3.5	Won't Fix	Low	Unassigned
3.6	Triaged	Low	Unassigned	MAAS 3.6.x

Bug Description

maas version: snap/3.2.6-12016-g.19812b4da

expected result: malformed request is handled properly (http 400, for example)
actual result: HTTP 500 is raised while performing the following query (note the empty "timestamp" field):

GET /MAAS/api/2.0/account/prefs/sshkeys/ HTTP/1.1
Authorization: OAuth oauth_consumer_key="kCpynbMZQqckUWGNuL", oauth_nonce="hUAYSmKQ4DydAeg87CerMMidkBcsoaKU", oauth_signature="XswEgSmf8CYX77GhkxMXVTp4SxCRLZGB%26", oauth_signature_method="PLAINTEXT", oauth_timestamp="", oauth_token="gYBe8ULHW3DQcGKTyw", oauth_version="1.0"
Host: 172.27.84.1:5240
Connection: close
User-Agent: RapidAPI/4.1.0 (Macintosh; OS X/13.0.1) GCDHTTPRequest

the following exception is being raised in regiond.log:

2023-01-11 11:35:01 maasserver: [error] ################################ Exception: invalid literal for int() with base 10: '' ################################
2023-01-11 11:35:01 maasserver: [error] Traceback (most recent call last):
  File "/snap/maas/23947/usr/lib/python3/dist-packages/django/core/handlers/base.py", line 113, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/snap/maas/23947/lib/python3.8/site-packages/maasserver/utils/views.py", line 288, in view_atomic_with_post_commit_savepoint
    return view_atomic(*args, **kwargs)
  File "/usr/lib/python3.8/contextlib.py", line 75, in inner
    return func(*args, **kwds)
  File "/snap/maas/23947/lib/python3.8/site-packages/maasserver/api/support.py", line 56, in __call__
    response = super().__call__(request, *args, **kwargs)
  File "/snap/maas/23947/usr/lib/python3/dist-packages/django/views/decorators/vary.py", line 20, in inner_func
    response = func(*args, **kwargs)
  File "/snap/maas/23947/usr/lib/python3.8/dist-packages/piston3/resource.py", line 152, in __call__
    actor, anonymous = self.authenticate(request, rm)
  File "/snap/maas/23947/lib/python3.8/site-packages/maasserver/api/support.py", line 103, in authenticate
    actor, anonymous = super().authenticate(request, rm)
  File "/snap/maas/23947/usr/lib/python3.8/dist-packages/piston3/resource.py", line 128, in authenticate
    if not authenticator.is_authenticated(request):
  File "/snap/maas/23947/lib/python3.8/site-packages/maasserver/api/auth.py", line 62, in is_authenticated
    consumer, token, parameters = self.validate_token(request)
  File "/snap/maas/23947/usr/lib/python3.8/dist-packages/piston3/authentication.py", line 368, in validate_token
    return oauth_server.verify_request(oauth_request)
  File "/snap/maas/23947/usr/lib/python3.8/dist-packages/piston3/oauth.py", line 452, in verify_request
    self._check_signature(oauth_request, consumer, token)
  File "/snap/maas/23947/usr/lib/python3.8/dist-packages/piston3/oauth.py", line 516, in _check_signature
    self._check_timestamp(timestamp)
  File "/snap/maas/23947/usr/lib/python3.8/dist-packages/piston3/oauth.py", line 538, in _check_timestamp
    timestamp = int(timestamp)
ValueError: invalid literal for int() with base 10: ''

Related branches

~ggouzi/maas:raise-base-request-missing-oauth-timestamp

Superseded for merging into maas:master

MAAS Lander: Needs Fixing on 2024-01-17

Jack Lloyd-Walters: Needs Fixing on 2024-01-05

~ggouzi/django-piston3:add-oauth-timestamp-presence-check

Merged into django-piston3:master

MAAS Lander: Approve on 2024-01-06

Jack Lloyd-Walters: Approve on 2024-01-05

Jack Lloyd-Walters (lloydwaltersj) on 2023-01-11

Changed in maas:
importance:	Undecided → Medium
status:	New → Triaged

Revision history for this message

Jack Lloyd-Walters (lloydwaltersj) wrote on 2023-01-11:

Can you additionally supply a set of replicable instructions for this behaviour?
ie: What were the sequence of steps undertook that led to the error message.

Changed in maas:
status:	Triaged → Incomplete

Björn Tillenius (bjornt) on 2023-01-16

Changed in maas:
status:	Incomplete → New
importance:	Medium → Undecided
status:	New → Incomplete

Revision history for this message

Vladimir Grevtsev (vlgrevtsev) wrote on 2023-01-16:

Hi Jack,

I tried using a 3rd party API client to talk with MAAS API. This client has an OAuth signature assembly functionality; so, while filling out the required gaps (e.g oauth secrets), I accidentally emptied the "timestamp" field - which is mandatory. This resulted in a malformed OAuth signature string being generated, hence leading to the HTTP 500 being returned to the client.

Obviously, this won't happen if the signature is generated by some library (like oauthlib), so this is definitely a low-priority issue. However, I still don't think that unhandled HTTP500 is something that should be exposed to endpoint consumers.

Revision history for this message

Björn Tillenius (bjornt) wrote on 2023-01-17:

Agreed. This should be a 400, not a 500.

Changed in maas:
milestone:	none → 3.4.0
importance:	Undecided → Low
status:	Incomplete → Triaged

Alberto Donato (ack) on 2023-06-29

Changed in maas:
milestone:	3.4.0 → 3.4.x

Anton Troyanov (troyanov) on 2024-03-05

Changed in maas:
milestone:	3.4.x → 3.5.x

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.