Skip to content

Record JSON parser errors due to invalid reports

mo khan requested to merge sentry-1350443 into master

What does this MR do?

When a third party integration attempts to upload an invalid or malicious license_scanning report we currently log the error, then we throw away the original error and raise a new error that is rescued in several different places in the code base. When a JSON parser error is raised and sent to sentry there is no action that we can take so it doesn't help to record it.

This MR updates the License scanning report parser to return an empty report when the raw artifact cannot be parsed as a JSON document. The current code bubbles up an exception that isn't handled meaningfully by code that calls this parser. The affect of that is that an error message is displayed to the user and a 500 error is returned to the FE code. This change records the original error and attempts to include meaningful information that can be used for taken action.

This error can be tracked here. To produce this error, you need to upload an invalid gl-license-scanning-report.json.

Screenshots

screenshot-2020-03-10-1583881722

screenshot-2020-03-10-1583881728

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by 🤖 GitLab Bot 🤖

Merge request reports