From 166fd671c83b59acc8cd4be5dd61c166d20bd260 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <joseph.schorr@coreos.com>
Date: Mon, 18 Feb 2019 12:09:25 -0500
Subject: [PATCH 1/3] Validate the namespace before looking it up

This will prevent unicode errors when trying to lookup unicode in the database

Fixes https://sentry.io/organizations/coreos/issues/628269769/?project=52148
---
 endpoints/web.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/endpoints/web.py b/endpoints/web.py
index be22dfeb7..cdb463cfa 100644
--- a/endpoints/web.py
+++ b/endpoints/web.py
@@ -843,6 +843,10 @@ def redirect_to_repository(namespace_name, repo_name, tag_name):
 @process_oauth
 @anon_protect
 def redirect_to_namespace(namespace):
+  okay, _ = model.user.validate_username(namespace)
+  if not okay:
+    abort(404)
+
   user_or_org = model.user.get_user_or_org(namespace)
   if not user_or_org:
     abort(404)

From 68300b2644c3bf10d884ae5c632d5b535f7b2b73 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <joseph.schorr@coreos.com>
Date: Mon, 18 Feb 2019 12:11:35 -0500
Subject: [PATCH 2/3] Catch exceptions when trying to read HTTP body in logs

Fixes https://sentry.io/organizations/coreos/issues/627586398/events/9ea9873f11e6456abc58f5de10951e44/?project=52148
---
 app.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/app.py b/app.py
index 656ecfddc..9926ee766 100644
--- a/app.py
+++ b/app.py
@@ -11,6 +11,7 @@ from flask_login import LoginManager
 from flask_mail import Mail
 from flask_principal import Principal
 from jwkest.jwk import RSAKey
+from werkzeug.exceptions import HTTPException
 
 import features
 
@@ -143,7 +144,11 @@ FILTERED_VALUES = [
 
 @app.after_request
 def _request_end(resp):
-  jsonbody = request.get_json(force=True, silent=True)
+  try:
+    jsonbody = request.get_json(force=True, silent=True)
+  except HTTPException:
+    jsonbody = None
+
   values = request.values.to_dict()
 
   if jsonbody and not isinstance(jsonbody, dict):

From eef4094f569e3fb8c84a577cc5f62e083f8f714d Mon Sep 17 00:00:00 2001
From: Joseph Schorr <joseph.schorr@coreos.com>
Date: Mon, 18 Feb 2019 13:02:46 -0500
Subject: [PATCH 3/3] Catch parsing errors in image API

Fixes https://sentry.io/organizations/coreos/issues/664440779/
---
 endpoints/api/image.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/endpoints/api/image.py b/endpoints/api/image.py
index 9fb3c5c92..3a9dcd82c 100644
--- a/endpoints/api/image.py
+++ b/endpoints/api/image.py
@@ -8,11 +8,18 @@ from endpoints.exception import NotFound
 
 
 def image_dict(image, with_history=False, with_tags=False):
+  parsed_command = None
+  if image.command:
+    try:
+      parsed_command = json.loads(image.command)
+    except (ValueError, TypeError):
+      parsed_command = {'error': 'Could not parse command'}
+
   image_data = {
     'id': image.docker_image_id,
     'created': format_date(image.created),
     'comment': image.comment,
-    'command': json.loads(image.command) if image.command else None,
+    'command': parsed_command,
     'size': image.image_size,
     'uploading': image.uploading,
     'sort_index': len(image.parents),