Flagsmith/flagsmith

Null-terminated query parameters cause server errors in the Core SDK endpoints

Open

Aperta il 30 ott 2023

Vedi su GitHub
 (0 commenti) (0 reazioni) (0 assegnatari)Python (3475 star) (264 fork)batch import
buggood first issue

Descrizione

Example Sentry issue: FLAGSMITH-API-3TZ

ValueError: A string literal cannot contain NUL (0x00) characters.
(15 additional frame(s) were not displayed)
...
  File "environments/identities/views.py", line 185, in get
    .get_or_create(identifier=identifier, environment=request.environment)

This should be a problem for every view that accesses query parameters directly.

A quick search yields 8 occurences of this: https://github.com/search?q=repo%3AFlagsmith%2Fflagsmith+query_params.get&type=code

For each of those we need to assess the performance impact of using a serializer (DRF's CharField handles null chars).

Guida contributor

Tech stack
pythondjangorest api
Dominio
backendapi
Tipo issue
bug
DifficoltàQuanto dovrebbe essere impegnativa per un nuovo contributor.
3
Tempo stimatoTempo stimato per completare e verificare uno scope piccolo.
1-3 hours
Stato attivitàQuanto è probabile che la issue sia ancora attiva e reviewable.
fresh
ChiarezzaQuanto chiaramente la issue descrive problema, scope e risultato atteso.
mostly clear
Prerequisiti
basic PythonDjango REST Framework understanding
Adatta ai principiantiQuanto la issue è adatta a contributor alla prima esperienza.
30
Direzione di ricerca
Investigate the impact of null bytes in query parameters across the codebase. Focus on the 8 occurrences of query params.get identified in the linked GitHub search. Test each endpoint with null characters to confirm the error. Consider replacing direct query parameter access with DRF serializers (which handle null chars) while assessing performance trade offs. The Sentry issue points to environments/identities/views.py line 185 as a starting point.