-
Bug
-
Resolution: Done
-
Medium
-
None
-
None
-
SIMPLY S8 April 13 - 27, SIMPLY S9 April 27 - May 11, SIMPLY S10 May 11 - May 25, SIMPLY S11 May 25 - June 8
-
3
Hitting the root URL of the dockerized registry in ECS triggers an ISE. The logs give the following traceback:
Traceback (most recent call last):
File "/simplye_venv/simplye_app-2zo-yRvq/lib/python3.9/site-packages/flask/app.py", line 2447, in wsgi_app
response = self.full_dispatch_request()
[...]
File "/simplye_app/app_helpers.py", line 45, in decorated
location = GeometryUtility.point_from_ip(ip)
File "/simplye_app/util/__init__.py", line 34, in point_from_ip
match = reader.get(ip_address)
File "/simplye_venv/simplye_app-2zo-yRvq/lib/python3.9/site-packages/maxminddb/reader.py", line 120, in get
(record, _) = self.get_with_prefix_len(ip_address)
File "/simplye_venv/simplye_app-2zo-yRvq/lib/python3.9/site-packages/maxminddb/reader.py", line 133, in get_with_prefix_len
address = ipaddress.ip_address(ip_address)
File "/usr/local/lib/python3.9/ipaddress.py", line 53, in ip_address
raise ValueError('%r does not appear to be an IPv4 or IPv6 address' %
ValueError: '209.17.96.106, 10.225.129.251' does not appear to be an IPv4 or IPv6 address
The last line indicates that the flask app is receiving a comma separated string value for the originating IP, which can happen when the `X-Forwarded-For` header is being passed through more than one proxy. The second IP in that sequence is from an AWS CIDR range, so is presumably the IP of the load balancer, and should be ignored in favor of the first IP.
The app code should be more resilient to variable `X-Forwarded-For` inputs, and possibly the Nginx configuration should be tweaked to rewrite the header value.