Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix construction of cookie using user supplied input #12808 #13029

Open
wants to merge 3 commits into
base: develop
Choose a base branch
from
Open

fix construction of cookie using user supplied input #12808 #13029

wants to merge 3 commits into from

Conversation

KumarVivekPathak
Copy link

Summary

This PR addresses the code scanning alert in issue #12808 by ensuring that the visitor_id cookie value is validated before use.

The validation ensures:

  • The visitor_id cookie is a valid hex UUID by attempting to parse it with UUID(visitor_id, version=4).
  • If the validation fails or the cookie does not exist, a new visitor_id is generated using uuid4().hex.
  • The validated or newly generated visitor_id is then set in the response.

@github-actions github-actions bot added the DEV: backend Python, databases, networking, filesystem... label Jan 24, 2025
@rtibbles rtibbles self-assigned this Jan 25, 2025
nucleogenesis
nucleogenesis approved these changes Jan 30, 2025
View reviewed changes
Copy link
Member

@nucleogenesis nucleogenesis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I manually changed my visitor ID in my cookies and navigated and the cookie was refreshed as expected.

Code changes LGTM!

Great work, thank you @KumarVivekPathak

rtibbles
rtibbles requested changes Jan 31, 2025
View reviewed changes
Copy link
Member

@rtibbles rtibbles left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One small tweak to streamline the code.

kolibri/core/auth/api.py Outdated
if not request.COOKIES.get("visitor_id"):
try:
existing_visitor_id = request.COOKIES.get("visitor_id")
if existing_visitor_id:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One small tweak - no need to add this if/else here - if you pass None to the UUID constructor it will also throw a TypeError so we can handle all cases where the uuid is not a valid v4 UUID in the except block.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes I got that I'll change it.

@github-actions GitHub Actions
Copy link
Contributor

Build Artifacts

Asset type Download link
PEX file kolibri-0.18.0a0.dev0_git.415.gfb36accd.pex
Windows Installer (EXE) kolibri-0.18.0a0.dev0+git.415.gfb36accd-windows-setup-unsigned.exe
Debian Package kolibri_0.18.0a0.dev0+git.415.gfb36accd-0ubuntu1_all.deb
Mac Installer (DMG) kolibri-0.18.0a0.dev0+git.415.gfb36accd.dmg
Android Package (APK) kolibri-0.18.0a0.dev0+git.415.gfb36accd-0.1.4-debug.apk
Raspberry Pi Image kolibri-pi-image-0.18.0a0.dev0+git.415.gfb36accd.zip
TAR file kolibri-0.18.0a0.dev0+git.415.gfb36accd.tar.gz
WHL file kolibri-0.18.0a0.dev0+git.415.gfb36accd-py2.py3-none-any.whl

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rtibbles rtibbles rtibbles requested changes

@nucleogenesis nucleogenesis nucleogenesis approved these changes

@bjester bjester Awaiting requested review from bjester

Requested changes must be addressed to merge this pull request.

Assignees

@rtibbles rtibbles

Labels
DEV: backend Python, databases, networking, filesystem...
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@KumarVivekPathak @rtibbles @nucleogenesis