From 7a5a5531ccd930a426caad0e047271b46f623e9a Mon Sep 17 00:00:00 2001 From: Javier Ramos Date: Wed, 1 Jul 2020 15:44:06 +0200 Subject: [PATCH] Raise ValidationError if CSR contains invalid CN If we supply a CSR that contains an empty field in the Subject, Lemur will crash with an error 500 as the ValueError exception is not captured. This change captures the exception and raises a ValidationError which in this case is a 400 sent back to client. Example to reproduce: Subject: C=ZZ, ST=Something, L=, O=My_Org, OU=My_Dept, CN=www.booking.com The empty L= causes a ValueError which needs to be captured. --- lemur/common/validators.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lemur/common/validators.py b/lemur/common/validators.py index 2412e2d3..e1dfe3c1 100644 --- a/lemur/common/validators.py +++ b/lemur/common/validators.py @@ -99,8 +99,12 @@ def csr(data): raise ValidationError("CSR presented is not valid.") # Validate common name and SubjectAltNames - for name in request.subject.get_attributes_for_oid(NameOID.COMMON_NAME): - common_name(name.value) + try: + for name in request.subject.get_attributes_for_oid(NameOID.COMMON_NAME): + common_name(name.value) + except ValueError as err: + current_app.logger.info("Error parsing Subject from CSR: %s", err) + raise ValidationError("Invalid Subject value in supplied CSR") try: alt_names = request.extensions.get_extension_for_class(