Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .jules/sentinel.md
Original file line number Diff line number Diff line change
Expand Up @@ -90,3 +90,8 @@
**Vulnerability:** The `_safe_upload_filename` function used `filename.replace`, `PurePosixPath`, and `re.sub` on unbounded client input, making it vulnerable to ReDoS or CPU/memory exhaustion (DoS) when fed extremely long strings.
**Learning:** Even fast standard library functions like `PurePosixPath` and string replacements can cause significant lag when chained on strings in the megabytes. String processing operations should always bound their inputs first if the input is untrusted and can be arbitrarily large.
**Prevention:** Cap the length of client-provided filename strings early by slicing them (e.g. `filename = filename[-512:]`) before doing more complex string parsing or regex replacements, especially when only the basename suffix is relevant.

## 2025-07-17 - Prevent DoS via TypeError in hmac.compare_digest
**Vulnerability:** Passing strings containing non-ASCII characters directly to `hmac.compare_digest()` raises a `TypeError`, causing a 500 Internal Server Error. This can be exploited by an attacker sending malformed Authorization headers (e.g., `Bearer ๆผขๅญ—`) to cause a Denial of Service (DoS) on protected endpoints.
**Learning:** `hmac.compare_digest()` in Python does not support comparing strings with non-ASCII characters; it strictly requires ASCII strings or bytes-like objects.
**Prevention:** Always encode strings to bytes (e.g., `.encode("utf-8")`) before passing them to `hmac.compare_digest()` when handling untrusted client input.
2 changes: 1 addition & 1 deletion src/newsdom_api/main.py
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ def require_authorization(
return
expected = f"Bearer {token}"
provided = authorization or ""
if not hmac.compare_digest(provided, expected):
if not hmac.compare_digest(provided.encode("utf-8"), expected.encode("utf-8")):
raise HTTPException(
status_code=401,
detail=UNAUTHORIZED_DETAIL,
Expand Down
Loading