-
|
I'm not finding the information for this in the documentation. Specific situation: Attacker tries to perform a XSS attack by sending JSON payload followed by Attacker sends: curl -X 'POST' \
'https://localhost:8000/login/' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"username": "user",
"password": "password"
}<script>alert("alert")</script>'The FastAPI router processes the information using the code: @router.post(
"/login/",
status_code=status.HTTP_200_OK,
tags=["Logs in user"],
summary="Logs in user",
description="Logs in user",
response_model=LoginResponse,
)
def login(user_login: AppUserLogin, db: Session = Depends(get_session)):
response = userService.login(db, user_login)
if response.status_code == status.HTTP_422_UNPROCESSABLE_ENTITY:
return JSONResponse(
status_code=status.HTTP_401_UNAUTHORIZED,
content=jsonable_encoder({"error": "Invalid username or password"}),
)
return responseWhich performs the evaluation, ect. The problem here is that Uvicorn catches the 422 error here and so FastAPI is not allowed to handle the error. Uvicorn instead returns the following: {
"detail": [
{
"loc": [
"body",
61
],
"msg": "Extra data: line 4 column 2 (char 61)",
"type": "value_error.jsondecode",
"ctx": {
"msg": "Extra data",
"doc": "{\n \"username\": \"user\",\n \"password\": \"password\"\n}<script>alert(1)</script>",
"pos": 61,
"lineno": 4,
"colno": 2
}
}
]
}What I want to do is return status.HTTP_401_UNAUTHORIZED and a generic comment instead of reflecting input into the response.
Thanks in advance for any help! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
No. This is not happening. Use this. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks. |
Beta Was this translation helpful? Give feedback.
No. This is not happening. Use this.