Remove insecure mode #468
Remove insecure mode #468
Conversation
|
LGTM. |
| message = traceback.format_exc() | ||
| else: | ||
| message = 'Internal Server Error' | ||
| util.send_json_http_exception(response, message, 500) |
There was a problem hiding this comment.
Is this entire diff related to the purpose of the PR?
I feel like catching the base class is a good idea here rather than letting it go up the stack.
Suggest leaving the catch but remove the inner if statement.
There was a problem hiding this comment.
@kofalt I added a ref to issue #451, which could be addressed as a separate change but since this except branch was clearly added to facilitate debug mode I removed it. I chose to let it go up the stack because without debug mode, the behavior would always be "log the error and send a message saying 'Internal Server Error'" to the client, which we can do just by letting the exception bubble up. Also it seems to me having 500's return JSON is not a good idea because other times we may not catch an error and thus the body may or may not be JSON encoded, which could cause issues for the requester. Status code 500 defined as "A generic error message, given when an unexpected condition was encountered and no more specific message is suitable"
There was a problem hiding this comment.
I guess whether or not 500's should be JSON is debatable, from description of 5xx status codes: "Except when responding to a HEAD request, the server SHOULD include an entity containing an explanation of the error situation" I think in the case of 500 specifically JSON should not be included since this is the code used for an uncaught exception, compared to other more specific 5xx codes purposefully generated by the server.
There was a problem hiding this comment.
As long as there is there is defined behaviour for Exception bubbling up I'm fine with it 👍
There was a problem hiding this comment.
webapp2 doesn't define a default handler for any error codes, so it will call WSGIApplication._internal_error which logs to the root logger with level error, however it only logs the exception and not a traceback. I'm going to remove #451 from the list of issues this PR fixes, and update it to include an action item for adding a 500 handler to log the traceback.
|
This looks great 👍 lots of branches removed. @ryansanford Can you confirm we don't need insecure & debug for anything anymore? I don't use it... |
|
It was my understanding that we were going to remove insecure mode and debug links, but not debug mode, which prints stack traces, IIRC. I strongly suggest that we keep this PR limited to the first two items and discuss the last one separately. Just adding a couple of comments on what's mentioned above:
|
|
@gsfr I agree leaving 500 errors JSON for the sake of consistency makes sense. Right now we may have some 500's which are not json-encoded, #451 will address that in addition to logging the traceback. Thus, I reverted my changes to that try-except block I also restored debug mode, I know other frameworks have had security issues where debug mode has a remote code execution vulnerability and thus having a way to enable it in production carries some risk. That's definitely not what this PR was about so I've reverted that change as well. |
coltonlw
force-pushed
the
remove-insecure-mode
branch
2 times, most recently
from
2fb5d5a to
a77b64e
Compare
|
Per offline discussion, revert change in |
coltonlw
force-pushed
the
remove-insecure-mode
branch
3 times, most recently
from
3e5d2ae to
077edbd
Compare
coltonlw
force-pushed
the
remove-insecure-mode
branch
from
077edbd to
11efd4e
Compare
|
Thanks, @coltonlw. LGTM, but untested. |
|
I can test tomorrow but just looking it over it LGTM2. |
This removes insecure mode
Fixes: #410