envelope event_id check: on-parse

vanschelven · vanschelven · commit b94aa8a5c96c · 2025-07-29T15:51:03.000+02:00
diff --git a/ingest/filestore.py b/ingest/filestore.py
@@ -8,7 +8,10 @@ def get_filename_for_event_id(event_id):
     # implemented. However, counterpoint: when doing stress tests, it was quite hard to get a serious backlog going
     # (snappea was very well able to play catch-up). So this might not be necessary.
 
-    # ensure that event_id is a uuid, and remove dashes if present
+    # ensure that event_id is a uuid, and remove dashes if present; also doubles as a security-check (event_id is
+    # user-provided (but at this point already validated to be a valid UUID), but b/c of the below the
+    # security-implications of os.path.join can be understood right here in the code without needing to inspect all
+    # call-sites).
     event_id_normalized = uuid.UUID(event_id).hex
 
     return os.path.join(get_settings().INGEST_STORE_BASE_DIR, event_id_normalized)
diff --git a/ingest/views.py b/ingest/views.py
@@ -1,3 +1,4 @@
+import uuid
 import hashlib
 import os
 import logging
@@ -618,6 +619,13 @@ def factory(item_headers):
                 # payload's event_id), so we can rely on it having been set.
                 if "event_id" not in envelope_headers:
                     raise ParseError("event_id not found in envelope headers")
+
+                try:
+                    # validate that the event_id is a valid UUID as per the spec (validate at the edge)
+                    uuid.UUID(envelope_headers["event_id"])
+                except ValueError:
+                    raise ParseError("event_id in envelope headers is not a valid UUID")
+
                 filename = get_filename_for_event_id(envelope_headers["event_id"])
                 os.makedirs(os.path.dirname(filename), exist_ok=True)
                 return MaxDataWriter("MAX_EVENT_SIZE", open(filename, 'wb'))
