Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validation and sanitation of bot parameters (typing) #2537

Open
sebix opened this issue Nov 29, 2024 · 1 comment
Open

Validation and sanitation of bot parameters (typing) #2537

sebix opened this issue Nov 29, 2024 · 1 comment

Comments

@sebix
Copy link
Member

sebix commented Nov 29, 2024

Since #1729 (version 3.0.0) all bots have built-in default values and typing information for all parameters.

The default values are in use by the bots if the configuration does not contain that parameter, and by the API/Manager to show as initial value.

The Manager parses and displays all parameters' types correctly, but the culprit is the saving.
Especially problematic are parameters left empty (resulting in an empty string) while the bots expect, for example, a boolean value. Even more dangerous are for example entered values of true, which results in the string "true", not the boolean True; and false resulting in "false", which evaluates to the boolean true value!

This is a big usability problem for IntelMQ users and leads not only to confusion but also to mis-routed data.

There are two independet steps that IntelMQ can make to improve the sitatution:

  1. Make the Manager type-aware. Show the accepted type to the user, and only allow the input of allowed values. E.g. for boolean values show a radio box/drop down with true and false. And also send the value in the correct type to the backend (API).
  2. Validate and sanitize the types in the bots. For example, for boolean parameters sanitize "false" to false, for intergers convert "10" to 10, for lists transform "foo,bar" to ["foo", "bar"].

What do you think of this topic?
Is someone willing and able to implement this or support work on this topic?

Related: certtools/intelmq-manager#294 certtools/intelmq-manager#81
Issues/PRs that could have been prevented: #2536 #2481 #2075 #2495 (and many more unreported ones)
@kamil-certat
Copy link
Contributor

I was thinking a few times about that. Actually, I think we should go in the direction of descriptors, Pydantic or other forms of automated validation. I'd think the most about mix of descriptors for complex cases and automated type-based validation, but it's just an idea.

The Manager should know more about the data - maybe e.g. using Pydantic would let us generate a JSON Schema for configuration, that manager could get? I also think the Manager should not need to dump the whole configuration, but we should have an API exposing per-bot config (with a proper validation).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sebix @kamil-certat