Hey, everybody.
I noticed that default Converters do not check correct syntax of parameters such as:
- minlength
- maxlength
- e.t.c
when using the ";" delimiter instead of "," (there is no clear and exhaustive description of this in the documentation, for example here: https://werkzeug.palletsprojects.com/en/3.0.x/routing/#built-in-converters).
does not cause an exception to be thrown, moreover, the syntax of this kind:
<int(minL=0;max=500):my_value>
<int(min=0;max=500):my_value>
does not apply any parameters other than max at all.
In another case, for example:
<string(minLength=8;maxlength=32):my_value>
minLength=8 - also not applied
but in case you write it like this:
<string(minlength=8;maxLength=32):my_value>
an exception occurs:
UnicodeConverter:
..\site-packages\werkzeug\routing\converters.py:254 and :77
..\site-packages\werkzeug\routing\rules.py:578
TypeError: init() got an unexpected keyword argument 'maxLength'
what do I see as the solutions to this situation?
- describe the correct syntax in the documentation, so that it would be a complete and exhaustive description (currently the syntax is only specified for python function arguments, but not for rule_route).
- fix checking of parameter syntax in the stringtype fragment of rule_route
- execute both items 1 and 2 at once.
below is the full traceback of the error:
- if syntax:
<string(minlength=8,maxLength=32):my_value>
File "...\lib\site-packages\flask\sansio\scaffold.py", line 44, in wrapper_func
return f(self, *args, **kwargs)
File "...\lib\site-packages\flask\sansio\app.py", line 655, in add_url_rule
self.url_map.add(rule)
File "...\lib\site-packages\werkzeug\routing\map.py", line 169, in add
rule.bind(self)
File "...\lib\site-packages\werkzeug\routing\rules.py", line 563, in bind
self.compile()
File "...\lib\site-packages\werkzeug\routing\rules.py", line 708, in compile
self._parts.extend(self._parse_rule(rule))
File "...\lib\site-packages\werkzeug\routing\rules.py", line 614, in _parse_rule
convobj = self.get_converter(
File "...\lib\site-packages\werkzeug\routing\rules.py", line 578, in get_converter
return self.map.converters[converter_name](self.map, *args, **kwargs)
TypeError: __init__() got an unexpected keyword argument 'maxLength'
- if syntax:
<string(minlength=8;maxLength=32):my_value>
File "...\lib\site-packages\flask\sansio\scaffold.py", line 44, in wrapper_func
return f(self, *args, **kwargs)
File "...\lib\site-packages\flask\sansio\app.py", line 655, in add_url_rule
self.url_map.add(rule)
File "...\lib\site-packages\werkzeug\routing\map.py", line 169, in add
rule.bind(self)
File "...\lib\site-packages\werkzeug\routing\rules.py", line 563, in bind
self.compile()
File "...\lib\site-packages\werkzeug\routing\rules.py", line 708, in compile
self._parts.extend(self._parse_rule(rule))
File "...\lib\site-packages\werkzeug\routing\rules.py", line 614, in _parse_rule
convobj = self.get_converter(
File "...\lib\site-packages\werkzeug\routing\rules.py", line 578, in get_converter
return self.map.converters[converter_name](self.map, *args, **kwargs)
TypeError: __init__() got an unexpected keyword argument 'maxLength'
-
if syntax:
<string(min_my_any_incorrect_input_length=8;maxlength=32):my_value>
the error is not present, but is expected to be present
-
if syntax:
<string(min_my_any_incorrect_input_length=8,maxlength=32):my_value>
File "...\lib\site-packages\flask\sansio\scaffold.py", line 44, in wrapper_func
return f(self, *args, **kwargs)
File "...\lib\site-packages\flask\sansio\app.py", line 655, in add_url_rule
self.url_map.add(rule)
File "...\lib\site-packages\werkzeug\routing\map.py", line 169, in add
rule.bind(self)
File "...\lib\site-packages\werkzeug\routing\rules.py", line 563, in bind
self.compile()
File "...\lib\site-packages\werkzeug\routing\rules.py", line 708, in compile
self._parts.extend(self._parse_rule(rule))
File "...\lib\site-packages\werkzeug\routing\rules.py", line 614, in _parse_rule
convobj = self.get_converter(
File "...\lib\site-packages\werkzeug\routing\rules.py", line 578, in get_converter
return self.map.converters[converter_name](self.map, *args, **kwargs)
TypeError: __init__() got an unexpected keyword argument 'min_my_any_incorrect_input_length'
Once again, let's rephrase what was said:
if a delimiter is specified, e.g. ";", when "," is expected, then the parameters and their correct syntax are not checked, and the invalid syntax exception is not raised, both for the delimiter character ";" and for an invalid parameter name, e.g. (from the code snippets above) "min_my_any_incorrect_input_length".
In this case, the compilation of the application (in my case flask) completes without error, and min & max length are expected to work correctly.
This could create potential security threats, but I don't think it's worth listing the possible variations of potential vulnerabilities.
Environment:
- Python version: 3.9.10
- Werkzeug version: 3.0.0
Hey, everybody.
I noticed that default Converters do not check correct syntax of parameters such as:
when using the ";" delimiter instead of "," (there is no clear and exhaustive description of this in the documentation, for example here: https://werkzeug.palletsprojects.com/en/3.0.x/routing/#built-in-converters).
does not cause an exception to be thrown, moreover, the syntax of this kind:
does not apply any parameters other than max at all.
In another case, for example:
<string(minLength=8;maxlength=32):my_value>minLength=8 - also not applied
but in case you write it like this:
<string(minlength=8;maxLength=32):my_value>an exception occurs:
what do I see as the solutions to this situation?
below is the full traceback of the error:
<string(minlength=8,maxLength=32):my_value><string(minlength=8;maxLength=32):my_value>if syntax:
<string(min_my_any_incorrect_input_length=8;maxlength=32):my_value>the error is not present, but is expected to be present
if syntax:
<string(min_my_any_incorrect_input_length=8,maxlength=32):my_value>
Once again, let's rephrase what was said:
if a delimiter is specified, e.g. ";", when "," is expected, then the parameters and their correct syntax are not checked, and the invalid syntax exception is not raised, both for the delimiter character ";" and for an invalid parameter name, e.g. (from the code snippets above) "min_my_any_incorrect_input_length".
In this case, the compilation of the application (in my case flask) completes without error, and min & max length are expected to work correctly.
This could create potential security threats, but I don't think it's worth listing the possible variations of potential vulnerabilities.
Environment: