Exception when invalid IP address

[antoineleclair]

Description
Someone sent malformed requests to try to find vulnerabilities. Some of them raised exceptions in NewRelic's code.

Expected Behavior
Not raise an exception and let the app handle it.

Troubleshooting or NR Diag results

Here's the complete stack trace for the exception:

Traceback (most recent call last): 
  File "/app/.heroku/python/lib/python3.12/site-packages/waitress/channel.py", line 428, in service 
    task.service() 
  File "/app/.heroku/python/lib/python3.12/site-packages/waitress/task.py", line 168, in service 
    self.execute() 
  File "/app/.heroku/python/lib/python3.12/site-packages/waitress/task.py", line 434, in execute 
    app_iter = self.channel.server.application(environ, start_response) 
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
  File "/app/.heroku/python/lib/python3.12/site-packages/newrelic/api/wsgi_application.py", line 599, in _nr_wsgi_application_wrapper_ 
    transaction = WSGIWebTransaction(target_application, environ, source=wrapped) 
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
  File "/app/.heroku/python/lib/python3.12/site-packages/newrelic/api/web_transaction.py", line 692, in __init__ 
    self._request_uri = urlparse.urlparse(self._request_uri)[2] 
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
  File "/app/.heroku/python/lib/python3.12/urllib/parse.py", line 395, in urlparse 
    splitresult = urlsplit(url, scheme, allow_fragments) 
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
  File "/app/.heroku/python/lib/python3.12/urllib/parse.py", line 500, in urlsplit 
    _check_bracketed_host(bracketed_host) 
  File "/app/.heroku/python/lib/python3.12/urllib/parse.py", line 446, in _check_bracketed_host 
    ip = ipaddress.ip_address(hostname) # Throws Value Error if not IPv6 or IPv4 
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
  File "/app/.heroku/python/lib/python3.12/ipaddress.py", line 54, in ip_address 
    raise ValueError(f'{address!r} does not appear to be an IPv4 or IPv6 address') 
ValueError: "'xwork.MethodAccessor.denyMethodExecution'" does not appear to be an IPv4 or IPv6 address 

It's probably irrelevant, but the HTTP request was

GET //${#context['xwork.MethodAccessor.denyMethodExecution']=!(#_memberAccess['allowStaticMethodAccess']=true),(@java.lang.Runtime@getRuntime()).exec('ipconfig').waitFor()}.action

The stack trace seems to point to this line:

newrelic-python-agent/newrelic/api/web_transaction.py

Line 692 in 56fbda1

self._request_uri = urlparse.urlparse(self._request_uri)[2]

As I mentioned above, the request was malformed intentionally by an attacker. It looks like they sent "'xwork.MethodAccessor.denyMethodExecution'" for the IP address and it crashed when NewRelic tried to parse it.

Steps to Reproduce
I'm not sure how to forge a request like this and/or where that fake IP address is taken from, but it would probably reproduce the issue.

Your Environment
It's a Python web app, with the Pyramid web framework, running with Waitress (HTTP server) on Heroku, behind Fastly. Python 3.12.1.

We run the app with newrelic-admin run-program python path/to/app.py.

[antoineleclair]

I just wanted to mention that this is still an issue. Someone forging a request just triggered the error again. We're currently on Python 3.12.3, with NewRelic 9.10.0.