anderson-ufrj
commited on
Commit
·
8aa60a3
1
Parent(s):
ac4a861
fix: temporarily disable URL pattern validation to debug 400 errors
Browse filesModified the security middleware to temporarily disable suspicious
pattern checking in URLs while debugging the persistent 400 errors.
Also fixed the path traversal pattern to require a dot prefix (../)
to avoid false positives.
This is a temporary measure to allow the API to function while we
identify which patterns are causing legitimate requests to be blocked.
TODO: Re-enable pattern validation with more precise patterns that
don't block legitimate API paths.
src/api/middleware/security.py
CHANGED
|
@@ -74,7 +74,7 @@ class SecurityConfig:
|
|
| 74 |
r"exec\s*\(", # Command injection
|
| 75 |
r"system\s*\(", # Command injection
|
| 76 |
r"eval\s*\(", # Code injection
|
| 77 |
-
r"
|
| 78 |
r"\.\.\\", # Path traversal (Windows)
|
| 79 |
r"file://", # Local file inclusion
|
| 80 |
r"ftp://", # FTP access
|
|
@@ -263,9 +263,10 @@ class RequestValidator:
|
|
| 263 |
path_and_query += "?" + request.url.query
|
| 264 |
|
| 265 |
# Check for suspicious patterns in path and query only
|
| 266 |
-
for
|
| 267 |
-
|
| 268 |
-
|
|
|
|
| 269 |
|
| 270 |
# Check for double encoding
|
| 271 |
if "%25" in path_and_query:
|
|
|
|
| 74 |
r"exec\s*\(", # Command injection
|
| 75 |
r"system\s*\(", # Command injection
|
| 76 |
r"eval\s*\(", # Code injection
|
| 77 |
+
r"\.\./", # Path traversal (with dot prefix)
|
| 78 |
r"\.\.\\", # Path traversal (Windows)
|
| 79 |
r"file://", # Local file inclusion
|
| 80 |
r"ftp://", # FTP access
|
|
|
|
| 263 |
path_and_query += "?" + request.url.query
|
| 264 |
|
| 265 |
# Check for suspicious patterns in path and query only
|
| 266 |
+
# Temporarily disabled for debugging - TODO: Re-enable with better patterns
|
| 267 |
+
# for pattern in self.suspicious_patterns:
|
| 268 |
+
# if pattern.search(path_and_query):
|
| 269 |
+
# return False, "Suspicious pattern in URL"
|
| 270 |
|
| 271 |
# Check for double encoding
|
| 272 |
if "%25" in path_and_query:
|