Error with POST Request to /api/sign-url

Hey everyone,

We are experiencing an issue with the Indico system where it behaves strangely due to a POST request to /api/sign-url. Has anyone encountered the following error?

ValueError: invalid literal for int() with base 10: '24*if(now()=sysdate(),sleep(15),0)'

This error appears after the POST request to /api/sign-url.

Blockquote
2024-09-29 14:09:02,789 INFO - indico.rh POST /api/sign-url [IP=] [PID=]
2024-09-29 14:09:02,791 ERROR - indico.flask invalid literal for int() with base 10: ‘24*if(now()=sysdate(),sleep(15),0)’
Traceback (most recent call last):
File “/opt/indico/venv/lib/python3.9/site-packages/flask/app.py”, line 1517, in full_dispatch_request
rv = self.dispatch_request()
File “/opt/indico/venv/lib/python3.9/site-packages/flask/app.py”, line 1503, in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
File “/opt/indico/venv/lib/python3.9/site-packages/indico/web/flask/util.py”, line 79, in wrapper
return obj().process()
File “/opt/indico/venv/lib/python3.9/site-packages/indico/web/rh.py”, line 281, in process
res = self._do_process()
File “/opt/indico/venv/lib/python3.9/site-packages/indico/web/rh.py”, line 252, in _do_process
rv = self._process()
File “/opt/indico/venv/lib/python3.9/site-packages/webargs/core.py”, line 594, in wrapper
return func(args, **kwargs)
File “/opt/indico/venv/lib/python3.9/site-packages/indico/modules/core/controllers.py”, line 295, in _process
url = url_for(endpoint, _external=True, **params)
File “/opt/indico/venv/lib/python3.9/site-packages/indico/web/flask/util.py”, line 157, in url_for
url = _url_for(endpoint, **values)
File “/opt/indico/venv/lib/python3.9/site-packages/flask/helpers.py”, line 323, in url_for
rv = url_adapter.build(
File “/opt/indico/venv/lib/python3.9/site-packages/werkzeug/routing.py”, line 2303, in build
rv = self._partial_build(endpoint, values, method, append_unknown)
File “/opt/indico/venv/lib/python3.9/site-packages/werkzeug/routing.py”, line 2195, in _partial_build
build_rv = rule.build(values, append_unknown)
File “/opt/indico/venv/lib/python3.9/site-packages/werkzeug/routing.py”, line 1086, in build
return self._build_unknown(**values)
File “”, line 1, in <builder:‘/event/int:event_id/event.ics’>
File “/opt/indico/venv/lib/python3.9/site-packages/werkzeug/routing.py”, line 1316, in to_url
value = str(self.num_convert(value))
ValueError: invalid literal for int() with base 10: '24
if(now()=sysdate(),sleep(15),0)’

Safe to ignore, that’s someone running a security scanner trying to find SQL injection vulnerabilities

1 Like

Thank you for your prompt response @ThiefMaster .
This scan puts a load on the Indico application, causing the server to go down. Is there a way to improve the server’s stability, even if it requires more CPU and RAM resources? I tried adding 64 CPUs and 64 GB of RAM to prevent the server from crashing, but unfortunately, we are still experiencing issues with the application’s performance.

block abusive IPs and possibly apply rate limiting against misbehaving clients sending way too many requests.

you can do that on the webserver level before those such requests even reach indico itself

1 Like

Thanks! That makes sense. I’ll update the web server configuration with your suggestions.