Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lack of Email Address Input Validation on privacy-request/notification API Endpoint #4224

Open
daveqnet opened this issue Oct 4, 2023 · 1 comment
Open

Lack of Email Address Input Validation on privacy-request/notification API Endpoint #4224

daveqnet opened this issue Oct 4, 2023 · 1 comment
Labels
bug Something isn't working

Comments

@daveqnet
Copy link
Contributor

daveqnet commented Oct 4, 2023

Bug Description

The Fides API allows to define alerts which in case of some errors in processing send proper notifications to recipients. The API was found to not validate the email addressed on the backend, thus it can potentially result in uncaught errors and unexpected notifications failures.

Steps to Reproduce

API Request

PUT /api/v1/privacy-request/notification HTTP/2
Host: <redacted>.ethyca.com
Content-Length: 68
Sec-Ch-Ua: "Not:A-Brand";v="99", "Chromium";v="112"
Unescape-Safestr: true
Sec-Ch-Ua-Mobile: ?0
Authorization: Bearer eyJh<redacted>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36
Content-Type: application/json
Access-Control-Allow-Origin: *
X-Fides-Source: fidesops-admin-ui
Sec-Ch-Ua-Platform: "Linux"
Accept: */*
Origin: https://<redacted>.ethyca.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://<redacted>.ethyca.com/privacy-requests
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

{"email_addresses":["INVALID ADDRESS1","INVALID ADDRESS2"],"notify_after_failures":1}

API Response

HTTP/2 200 OK
Date: Wed, 16 Aug 2023 09:04:37 GMT
Content-Type: application/json
Content-Length: 85
Server: uvicorn
X-Ratelimit-Limit: 1000
X-Ratelimit-Remaining: 998
X-Ratelimit-Reset: 1692176712
Retry-After: Wed, 16 Aug 2023 09:05:12 -0000
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://<redacted>.ethyca.com
Vary: Origin

{"email_addresses":["INVALID ADDRESS1","INVALIDADDRESS2"],"notify_after_failures":1}

Expected behavior

  • The request should be rejected with an error when the invalid email address fails input validation.
  • Implement input validation and consider adding a test notification feature to verify the settings are working correctly.

Screenshots

n/a

Environment

Version: 2.18.0 (repro'd on nightly 2.21.0rc0.post0.dev22)
OS: Kubernetes (AWS EKS v1.27.3-eks-a5565ad)
Python Version: 3.10.12
Docker Version: containerd://1.6.19

Additional context

n/a
@daveqnet daveqnet added the bug Something isn't working label Oct 4, 2023
@batman1911
Copy link

batman1911 commented Oct 11, 2023
edited
Loading

Please assign this to me. Also, can you please add the label "hacktoberfest" ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@batman1911 @daveqnet