newrelic-python-agent
newrelic-python-agent copied to clipboard
newrelic
Exception when invalid IP address
Description Someone sent malformed requests to try to find vulnerabilities. Some of them raised exceptions in NewRelic's code.
Expected Behavior Not raise an exception and let the app handle it.
Troubleshooting or NR Diag results
Here's the complete stack trace for the exception:
Traceback (most recent call last):
File "/app/.heroku/python/lib/python3.12/site-packages/waitress/channel.py", line 428, in service
task.service()
File "/app/.heroku/python/lib/python3.12/site-packages/waitress/task.py", line 168, in service
self.execute()
File "/app/.heroku/python/lib/python3.12/site-packages/waitress/task.py", line 434, in execute
app_iter = self.channel.server.application(environ, start_response)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/.heroku/python/lib/python3.12/site-packages/newrelic/api/wsgi_application.py", line 599, in _nr_wsgi_application_wrapper_
transaction = WSGIWebTransaction(target_application, environ, source=wrapped)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/.heroku/python/lib/python3.12/site-packages/newrelic/api/web_transaction.py", line 692, in __init__
self._request_uri = urlparse.urlparse(self._request_uri)[2]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/.heroku/python/lib/python3.12/urllib/parse.py", line 395, in urlparse
splitresult = urlsplit(url, scheme, allow_fragments)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/.heroku/python/lib/python3.12/urllib/parse.py", line 500, in urlsplit
_check_bracketed_host(bracketed_host)
File "/app/.heroku/python/lib/python3.12/urllib/parse.py", line 446, in _check_bracketed_host
ip = ipaddress.ip_address(hostname) # Throws Value Error if not IPv6 or IPv4
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/.heroku/python/lib/python3.12/ipaddress.py", line 54, in ip_address
raise ValueError(f'{address!r} does not appear to be an IPv4 or IPv6 address')
ValueError: "'xwork.MethodAccessor.denyMethodExecution'" does not appear to be an IPv4 or IPv6 address
It's probably irrelevant, but the HTTP request was
GET //${#context['xwork.MethodAccessor.denyMethodExecution']=!(#_memberAccess['allowStaticMethodAccess']=true),(@java.lang.Runtime@getRuntime()).exec('ipconfig').waitFor()}.action
The stack trace seems to point to this line: https://github.com/newrelic/newrelic-python-agent/blob/56fbda161ec68c63c80755caf2ff5ed1ddd84819/newrelic/api/web_transaction.py#L692
As I mentioned above, the request was malformed intentionally by an attacker. It looks like they sent "'xwork.MethodAccessor.denyMethodExecution'" for the IP address and it crashed when NewRelic tried to parse it.
Steps to Reproduce I'm not sure how to forge a request like this and/or where that fake IP address is taken from, but it would probably reproduce the issue.
Your Environment It's a Python web app, with the Pyramid web framework, running with Waitress (HTTP server) on Heroku, behind Fastly. Python 3.12.1.
We run the app with newrelic-admin run-program python path/to/app.py.
I just wanted to mention that this is still an issue. Someone forging a request just triggered the error again. We're currently on Python 3.12.3, with NewRelic 9.10.0.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hello--sorry about the delay on this. I have a branch that should fix this. Could you use this branch to see if that resolves the issue for you?
https://github.com/newrelic/newrelic-python-agent/tree/malformed-requests-exception
You can install it using pip install git+https://github.com/newrelic/newrelic-python-agent.git@malformed-requests-exception
Thank you! Unfortunately, it's not a bug we encounter often. I won't be able to confirm if the fix worked or not.
That's fair. In that case, I'll merge the branch and if this does not end up fixing the issue after all, we can reopen the ticket.