mirror/bugsink
1
0
Fork 0
mirror of https://github.com/bugsink/bugsink.git synced 2025-12-21 13:00:13 -06:00
Code Issues Packages Projects Releases Wiki Activity
1,773 Commits 46 Branches 58 Tags
6b46dc25138542da3bb7e38d6c693465ffd18ea6
Commit Graph

1773 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Klaas van Schelven
6b46dc2513 Sparklines: copy/paste (ugly code) into stacktrace too 2025-11-18 09:06:00 +01:00
Klaas van Schelven
60de54a3dc Sparklines PoC 
See #271
 2025-11-17 11:34:52 +01:00
Klaas van Schelven
eeac2e750c Link to 'all tags' in the 'tags' RHS box 2025-11-16 20:08:50 +01:00
Klaas van Schelven
4137565de9 Note about (crashpad/minidump) guid 2025-11-16 19:54:13 +01:00
Klaas van Schelven
8283b80b35 Minidump API Endpoint: custom/extra fields support 2025-11-16 09:29:20 +01:00
Klaas van Schelven
f5605c8d0e Tags on issue-tags page: tailwind-based histograms 2025-11-15 16:13:05 +01:00
Klaas van Schelven
60bbf8c606 send_json/stress_test utils: Prettier tag-sending, pt.2 2025-11-15 15:44:19 +01:00
Klaas van Schelven
8da9ec593e send_json/stress_test utilities: prettier tag-sending 2025-11-15 14:51:27 +01:00
Klaas van Schelven
1829465342 Merge pull request #270 from bugsink/minidumps 
Minidumps: PoC
 2025-11-15 13:43:36 +01:00
Klaas van Schelven
7df7bc7f4d Minidump feature flag: configurable in docker 2025-11-15 13:38:09 +01:00
Klaas van Schelven
661d83bd93 minidumps: FEATURE flag 2025-11-15 13:33:49 +01:00
Klaas van Schelven
2660e1b027 Rendering of events w/ frames=None: be robust for it 2025-11-15 13:04:37 +01:00
Klaas van Schelven
97c1e4c71c Comment about difs_assemble endpoint 2025-11-13 08:33:31 +01:00
Klaas van Schelven
9f6cd88ec6 Remove unneeded layer of indirection in query. 2025-11-13 08:33:12 +01:00
Klaas van Schelven
3d031376ef Merge branch 'main' into minidumps 2025-11-12 22:15:40 +01:00
Klaas van Schelven
9f2a7c6737 de-chatgptize event_threads_for_process_state 
this code was created in a REPL/ChatGPT/minidump-API/HITL session,
until I had something that "seemed to work". the present commit
is the result of rereading, refactoring for understanding etc.
it's not "pure refacting" in the sense that it's behavior-changing,
but AFAICT for the better. e.g. "line 0" => just leave that out and
many similar changes.
 2025-11-12 22:05:42 +01:00
Klaas van Schelven
eea5f032e2 Clarified meaning of process_state.requesting_thread 
(the now-removed 'treat as pid' was hallunicated by the bot; the
taken-from-sentry version missed the guard against -1)

> The index of the thread that requested a dump be written in the
> threads vector. [..] If the dump was not produced as a result of an exception
> [..] this field will be set to -1,
 2025-11-12 21:33:18 +01:00
Klaas van Schelven
54ec6eaceb Populate exception['value'] 
mirrors how we show fetch it in `get_exception_type_and_value_for_exception`
 2025-11-12 21:04:53 +01:00
Klaas van Schelven
5757b4f9b5 Typo in comment 2025-11-12 21:03:03 +01:00
Klaas van Schelven
b60980c8f3 PoC: Minidumps w/ symbolification 
Plenty of TODOs left; but this proves we can find:

* file names
* function names
* line nos
* source context

See #82
 2025-11-12 20:44:38 +01:00
Klaas van Schelven
74a04f6ea1 'files' is a bugsink module too; reflect in eat_your_own_dogfood 2025-11-12 16:39:50 +01:00
Klaas van Schelven
b99e26d83f Don't log non-sent emails 
e.g. for users with their email addresses blanked out

See #86
 2025-11-12 16:28:11 +01:00
Klaas van Schelven
2fe2b4fb9d Use debug-tools for email in development 
See #86
 2025-11-12 16:27:14 +01:00
Klaas van Schelven
a93f369ad7 Fix member counts on project/team list 
they were at most 1
 2025-11-12 16:10:10 +01:00
Klaas van Schelven
2ad2c819f9 bandit (trivial ignore) 2025-11-11 15:57:17 +01:00
Klaas van Schelven
7b079dd57b Add template-based comment 2025-11-11 15:54:39 +01:00
Klaas van Schelven
9462d0a2c7 merge 'main' with 'main' 2025-11-11 15:34:54 +01:00
Klaas van Schelven
ab065a6329 api_catch_all: header-based 
rather than try-and-recover, just look at the headers and show body/POST etc.
this avoids hard-to-reason about situations where either of those won't work
because the other has already been executed; in combination with reasoning
about max size usage the explicit solution is simply easier to reason about.

further:

* makes api_catch_all one of the content_encoding-ready views.
* implement a max length for the ingest api view
 2025-11-11 15:25:51 +01:00
Klaas van Schelven
937df4cbb8 minidump endpoint: support content encoding 
adds readline() method to GeneratorReader (ChatGPT-generated; eyeballed for
correctness) to match the Django FILES/POST handling expectations.
 2025-11-11 13:50:07 +01:00
Klaas van Schelven
72aab81d7d Add ContentEncodingCheckMiddleware 2025-11-11 13:39:44 +01:00
Klaas van Schelven
f5d7b430f2 Merge branch 'main' into minidumps 2025-11-11 10:07:06 +01:00
Klaas van Schelven
d5db5e328b Merge branch brotli-bombs-tests 2025-11-11 10:01:23 +01:00
Klaas van Schelven
54c96eb680 Minidump upload: more explicit errors (and logging) 2025-11-11 09:48:00 +01:00
Klaas van Schelven
80f65c7058 Comment: CustomWSGIRequest.get_host(): no changes needed for Django 5.2 upgrade 
this method wasn't changed upstream.

See #89
 2025-11-11 09:45:53 +01:00
Klaas van Schelven
1ed03ce053 Support request.body when doing Chuncked Transfer Encoding 
(ran into this b/c the native minidump upload uses chunked mode and
our impl. of that looks at request.body (via FILES))

See #9
 2025-11-11 09:39:12 +01:00
Klaas van Schelven
444e84edc0 Merge pull request #267 from bugsink/python-3.14 
Support Python 3.14
 2025-11-10 20:32:40 +01:00
Klaas van Schelven
ad077b4056 file_info's debug_id is optional 
(as per my notes; didn't recheck this when committing)
 2025-11-09 23:11:10 +01:00
Klaas van Schelven
690a92a1f9 Merge branch 'main' into minidumps 2025-11-09 21:56:18 +01:00
Klaas van Schelven
0432451e8e Fix inefficient bytes concatenation when KEEP_ENVELOPES != 0 2025-11-09 21:11:35 +01:00
Klaas van Schelven
a6ead89ca8 Remove event.debug_info 
basically unused
 2025-11-09 20:58:39 +01:00
Klaas van Schelven
53bea102d9 Compression decoding errors: return 400 rather than 500 2025-11-09 20:50:06 +01:00
Klaas van Schelven
b81f754b8c Support Python 3.14 
make it so by [a] saying it is so and [b] testing it in the CI/CD
 2025-11-09 20:12:55 +01:00
Klaas van Schelven
473d4de6d2 2.0.6 CHANGELOG 2.0.6 2025-11-08 23:37:11 +01:00
Klaas van Schelven
d979b17596 Merge commit from fork 
Add mitigation for a 2nd class of brotli DOS attack
 2025-11-08 23:36:29 +01:00
Klaas van Schelven
69a918de7d Additional test scripts for gzip/deflate bombs 2025-11-08 23:08:59 +01:00
Klaas van Schelven
60be8fa4a4 Add end-to-end test for brotli/envelope 
proving that 2.0.5 solves the problem of (well-formatted) bombs
 2025-11-08 23:08:49 +01:00
Klaas van Schelven
d5858a7a41 'random' (malformed) 'bomb' and test 
These tests were originally in what is now 1201f754e3
but they were held back because they provide more information
to an attacker than strictly required.

The orignal (non-published, now published) commit message (which
goes with both the code and the tests) was:

As noted by @Cycloctane:

> The problem is that the infinte loop I was talking about is happening inside
> `brotli_generator`. Because brotli `decompressor.is_finished()` never returns
> True if the input is not valid brotli compressed data or is truncated. And
> `decompressor.process()` will keep returning empty bytes that won't be *yield*
> out, making the generator keep looping inside itself. `MaxDataReader` is not
> possible to limit it.
 2025-11-08 23:06:32 +01:00
Klaas van Schelven
4c07000818 Add 'send_random_data' 'bomb' 
credit @Cycloctane (who provided this as a curl command)
 2025-11-08 23:04:19 +01:00
Klaas van Schelven
9db2498e27 send_bomb command to test brotli decompression vulnerability 2025-11-08 23:04:15 +01:00
Klaas van Schelven
c63e23f096 Clarify why I believe the curren solution will not be stuck forever 2025-11-08 22:59:49 +01:00