docassemble
docassemble copied to clipboard
jhpyle
Security question re: fetch_user_dict
Hey there. I think someone is trying to do some malicious stuff with my docassemble instance, and I just wanted to understand better if these logs are revealing any vulnerability.
I see this in docassemble.log:
2020-05-08 22:17:44 A3erJwmFiu4Vl2yOtNp43grdg0gM2OlU index: dictionary fetch failed
2020-05-08 22:17:49 pE5Z1MfbvBlYRFj43Svl6gmkfNOOklXu index: dictionary fetch failed
2020-05-08 22:17:55 tjhB1ZOsXmuFAdI2SJDK2ufWyRIAdCIi index: dictionary fetch failed
2020-05-08 22:18:01 HR64aASK8Er4w8xeow6q9vOvfZSfuyC5 index: dictionary fetch failed
2020-05-08 22:18:07 lzKkB8nOiDSjn1hbCghzULMgFJ6LqFts index: dictionary fetch failed
2020-05-08 22:18:13 ghUczJgeVBWMTAxR5WH1wQIHNVXvwgI3 index: dictionary fetch failed
2020-05-08 22:18:19 g9cGh5sgkSZzlp5v637fQVpedlWUpq3P index: dictionary fetch failed
2020-05-08 22:18:24 7DXt3velv4W4AP8tRTrwfaBe39JGXKXw index: dictionary fetch failed
2020-05-08 22:18:30 hioutbb7o4ea0ZT0uxriuP6C1fODaMCm index: dictionary fetch failed
And corresponding in apache2/error.log:
[Fri May 08 22:17:44.445325 2020] [wsgi:error] [pid 105828:tid 140020658415360] [remote 5.188.86.218:39880] index: there was an exception UnpicklingError: invalid load key, 'Z'. after fetch_user_dict with A3erJwmFiu4Vl2yOtNp43grdg0gM2OlU and docassemble.jcc.abilitytopay:data/questions/privacy_policy.yml, so we need to reset
[Fri May 08 22:17:49.957901 2020] [wsgi:error] [pid 105828:tid 140020658415360] [remote 5.188.86.218:39928] index: there was an exception ValueError: unregistered extension code 24085 after fetch_user_dict with pE5Z1MfbvBlYRFj43Svl6gmkfNOOklXu and docassemble.jcc.abilitytopay:data/questions/privacy_policy.yml, so we need to reset
[Fri May 08 22:17:55.888056 2020] [wsgi:error] [pid 105828:tid 140020650022656] [remote 5.188.86.218:39980] index: there was an exception UnpicklingError: A load persistent id instruction was encountered,
[Fri May 08 22:17:55.888097 2020] [wsgi:error] [pid 105828:tid 140020650022656] [remote 5.188.86.218:39980] but no persistent_load function was specified. after fetch_user_dict with tjhB1ZOsXmuFAdI2SJDK2ufWyRIAdCIi and docassemble.jcc.abilitytopay:data/questions/privacy_policy.yml, so we need to reset
[Fri May 08 22:18:01.525991 2020] [wsgi:error] [pid 105828:tid 140020650022656] [remote 5.188.86.218:40028] index: there was an exception UnicodeDecodeError: 'utf-8' codec can't decode byte 0x86 in position 0: invalid start byte after fetch_user_dict with HR64aASK8Er4w8xeow6q9vOvfZSfuyC5 and docassemble.jcc.abilitytopay:data/questions/privacy_policy.yml, so we need to reset
[Fri May 08 22:18:07.407263 2020] [wsgi:error] [pid 105828:tid 140020658415360] [remote 5.188.86.218:40068] index: there was an exception UnpicklingError: invalid load key, '+'. after fetch_user_dict with lzKkB8nOiDSjn1hbCghzULMgFJ6LqFts and docassemble.jcc.abilitytopay:data/questions/privacy_policy.yml, so we need to reset
I think this is someone trying to guess some kind of user key? But I don't know how, or if there's any real vulnerability here.
This is on docassemble (0.4.80).
It looks like the privacy_policy.yml interview has encryption enabled (multi_user = True not specified in the YAML).
I would guess that there were errors that led to interview answers getting corrupted in a certain session.
I haven't seen that pickle error before. It seems to be related to the phenomenon of pickle being unable to move forward when the pickled data references a Python class that doesn't exist on the server.
If this was someone trying to break in, it would be someone who already had the session ID for an interview session and was trying to guess the encoded secret that can only be found in the cookie on the user's web browser.
