aiohttp false security issue

Question

aiohttp false security issue

Ethan-Ka opened this issue 2 years ago · 1 comments

Ethan-Ka commented 2 years ago

Steps to reproduce

Bot used to be running as normal, then all of a sudden it stopped

Expected result

Should have run normally, produced the error below and quit.

Actual result

Traceback (most recent call last):
  File "main.py", line 1277, in <module>
    bot.run()
  File "/home/runner/.local/lib/python3.8/site-packages/hikari/impl/bot.py", line 783, in run
    loop.run_until_complete(
  File "/usr/lib/python3.8/asyncio/base_events.py", line 6[16](https://github.com/DankBoi293/miriad/actions/runs/3144470460/jobs/5110514474#step:4:17), in run_until_complete
    return future.result()
  File "/home/runner/.local/lib/python3.8/site-packages/hikari/impl/bot.py", line 899, in start
    requirements = await self._rest.fetch_gateway_bot_info()
  File "/home/runner/.local/lib/python3.8/site-packages/hikari/impl/rest.py", line [19](https://github.com/DankBoi293/miriad/actions/runs/3144470460/jobs/5110514474#step:4:20)[28](https://github.com/DankBoi293/miriad/actions/runs/3144470460/jobs/5110514474#step:4:29), in fetch_gateway_bot_info
    response = await self._request(route)
  File "/home/runner/.local/lib/python3.8/site-packages/hikari/impl/rest.py", line 748, in _request
    response = await live_attributes.still_alive().client_session.request(
  File "/home/runner/.local/lib/python3.8/site-packages/aiohttp/client.py", line 558, in _request
    resp = await req.send(conn)
  File "/home/runner/.local/lib/python3.8/site-packages/aiohttp/client_reqrep.py", line 670, in send
    await writer.write_headers(status_line, self.headers)
  File "/home/runner/.local/lib/python3.8/site-packages/aiohttp/http_writer.py", line 1[30](https://github.com/DankBoi293/miriad/actions/runs/3144470460/jobs/5110514474#step:4:31), in write_headers
    buf = _serialize_headers(status_line, headers)
  File "aiohttp/_http_writer.pyx", line 1[32](https://github.com/DankBoi293/miriad/actions/runs/3144470460/jobs/5110514474#step:4:33), in aiohttp._http_writer._serialize_headers
  File "aiohttp/_http_writer.pyx", line 116, in aiohttp._http_writer._safe_header
ValueError: Newline or carriage return character detected in HTTP status message or header. This is a potential security issue.

System info

hikari (2.0.0.dev111) [2d0c77b5]
located at /home/runner/.local/lib/python3.8/site-packages/hikari
CPython 3.8.10 GCC 9.4.0
Linux fv-az315-89 5.15.0-1020-azure #25~20.04.1-Ubuntu SMP Thu Sep 1 19:20:56 UTC 2022 x86_64 x86_64

Further info

It was working fine a little bit ago, I am installing the packages again on every run.

Checklist

I have made sure to remove ANY sensitive information (bot token, passwords, credentials, personal details, etc.).
I have searched the issue tracker and have made sure it's not a duplicate. If it is a follow up of another issue, I have specified it.

Answer 1 · 2022-09-28T15:50:08.000Z

This is not a false positive, you are adding a newline at the end of your token (probably through the GitHub Secrets UI) and aiohttp now errors about that in newer versions due to the potential security risk this could entail.

Potential ways of fixing this are:

Stripping the new line off the token before passing it to hikari

token=os.environ["TOKEN"].strip()

Making sure that there is no newline in your secret

Hope that fixes your issue. I'll be closing this as a non-fix.

Also, fyi, running a bot on GitHub Actions is not recommended at all and is against ToS. I would recommend you get a VPS to host your bot instead.