falconpy icon indicating copy to clipboard operation
falconpy copied to clipboard

Published 20 hours ago verified publisher icon CrowdStrike

Text/plain response can't be parsed, masking the response actual value

Open davidt99 opened this issue 9 months ago • 3 comments

Describe the bug I came across a response from the government cloud (I tried to initiate an RTR session), and the response was as follows: Status code: 403 Content type: text/plain Content: Remote response feature is not enabled The issue is that this error is not returned to the calling code because on line #289, it assumes the response is in JSON. Eventually, it falls back to "No content was received for this request.".

I am not sure how to actually fix this. I assume the text/plain is somewhat backward compatibility code for older instances of CrowdStrike. I would suggest either fixing this in the backend (@jshcodes, I assume you have the ability to make this happen) or fallback to create the Result object with somewhat this format "errors": [{"message": response.text, "code": response.status_code}], Timeouts act in a similar way.

Environment (please complete the following information):

  • OS: MacOS
  • Python: 3.11
  • FalconPy: 1.4.3

davidt99 avatar May 05 '24 09:05 davidt99

Hi @davidt99 thanks for bringing this to our attention! I will investigate what's coming back in the response and see about either having this updated on the API or SDK side.

crowdstrikedcs avatar May 06 '24 04:05 crowdstrikedcs

Hi @davidt99 -

Can we see an example of the code you're executing? I'd like to confirm I'm comparing apples to apples in my local testing.

The result object may need to be updated to handle unusual text responses regardless, as this may happen in other scenarios.

Thank you for reporting this! 🙇

jshcodes avatar May 08 '24 14:05 jshcodes

It was just a simple init_session of rtr:

rtr: falconpy.RealTimeResponse
response = rtr.init_session(device_id=device_id, offline_queued=False)

If you are using responses for mocking, this is the code you can use to simulate:

with responses.RequestsMock() as mock:
    mock.add('POST', 'https://api.crowdstrike.com/real-time-response/entities/sessions/v1', body='Remote response feature is not enabled', content_type='text/plain', status=403)
    requests.post('https://api.crowdstrike.com/real-time-response/entities/sessions/v1')

davidt99 avatar May 09 '24 15:05 davidt99