Flagsmith/flagsmith

Null-terminated query parameters cause server errors in the Core SDK endpoints

Open

#2,901 opened on Oct 30, 2023

View on GitHub
 (0 comments) (0 reactions) (0 assignees)Python (264 forks)batch import
buggood first issue

Repository metrics

Stars
 (3,475 stars)
PR merge metrics
 (Avg merge 2d 21h) (141 merged PRs in 30d)

Description

Example Sentry issue: FLAGSMITH-API-3TZ

ValueError: A string literal cannot contain NUL (0x00) characters.
(15 additional frame(s) were not displayed)
...
  File "environments/identities/views.py", line 185, in get
    .get_or_create(identifier=identifier, environment=request.environment)

This should be a problem for every view that accesses query parameters directly.

A quick search yields 8 occurences of this: https://github.com/search?q=repo%3AFlagsmith%2Fflagsmith+query_params.get&type=code

For each of those we need to assess the performance impact of using a serializer (DRF's CharField handles null chars).

Contributor guide