You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Here's the complete stack trace for the exception:
Traceback (most recent call last):
File "/app/.heroku/python/lib/python3.12/site-packages/waitress/channel.py", line 428, in service
task.service()
File "/app/.heroku/python/lib/python3.12/site-packages/waitress/task.py", line 168, in service
self.execute()
File "/app/.heroku/python/lib/python3.12/site-packages/waitress/task.py", line 434, in execute
app_iter = self.channel.server.application(environ, start_response)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/.heroku/python/lib/python3.12/site-packages/newrelic/api/wsgi_application.py", line 599, in _nr_wsgi_application_wrapper_
transaction = WSGIWebTransaction(target_application, environ, source=wrapped)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/.heroku/python/lib/python3.12/site-packages/newrelic/api/web_transaction.py", line 692, in __init__
self._request_uri = urlparse.urlparse(self._request_uri)[2]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/.heroku/python/lib/python3.12/urllib/parse.py", line 395, in urlparse
splitresult = urlsplit(url, scheme, allow_fragments)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/.heroku/python/lib/python3.12/urllib/parse.py", line 500, in urlsplit
_check_bracketed_host(bracketed_host)
File "/app/.heroku/python/lib/python3.12/urllib/parse.py", line 446, in _check_bracketed_host
ip = ipaddress.ip_address(hostname) # Throws Value Error if not IPv6 or IPv4
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/app/.heroku/python/lib/python3.12/ipaddress.py", line 54, in ip_address
raise ValueError(f'{address!r} does not appear to be an IPv4 or IPv6 address')
ValueError: "'xwork.MethodAccessor.denyMethodExecution'" does not appear to be an IPv4 or IPv6 address
It's probably irrelevant, but the HTTP request was
GET //${#context['xwork.MethodAccessor.denyMethodExecution']=!(#_memberAccess['allowStaticMethodAccess']=true),(@java.lang.Runtime@getRuntime()).exec('ipconfig').waitFor()}.action
As I mentioned above, the request was malformed intentionally by an attacker. It looks like they sent "'xwork.MethodAccessor.denyMethodExecution'" for the IP address and it crashed when NewRelic tried to parse it.
Steps to Reproduce
I'm not sure how to forge a request like this and/or where that fake IP address is taken from, but it would probably reproduce the issue.
Your Environment
It's a Python web app, with the Pyramid web framework, running with Waitress (HTTP server) on Heroku, behind Fastly. Python 3.12.1.
We run the app with newrelic-admin run-program python path/to/app.py.
The text was updated successfully, but these errors were encountered:
Description
Someone sent malformed requests to try to find vulnerabilities. Some of them raised exceptions in NewRelic's code.
Expected Behavior
Not raise an exception and let the app handle it.
Troubleshooting or NR Diag results
Here's the complete stack trace for the exception:
It's probably irrelevant, but the HTTP request was
The stack trace seems to point to this line:
newrelic-python-agent/newrelic/api/web_transaction.py
Line 692 in 56fbda1
As I mentioned above, the request was malformed intentionally by an attacker. It looks like they sent
"'xwork.MethodAccessor.denyMethodExecution'"for the IP address and it crashed when NewRelic tried to parse it.Steps to Reproduce
I'm not sure how to forge a request like this and/or where that fake IP address is taken from, but it would probably reproduce the issue.
Your Environment
It's a Python web app, with the Pyramid web framework, running with Waitress (HTTP server) on Heroku, behind Fastly. Python 3.12.1.
We run the app with
newrelic-admin run-program python path/to/app.py.The text was updated successfully, but these errors were encountered: