Lacking input validation in httpbakery.extract_macaroons()

[suligap]

macaroonbakery 1.3.1
python 3.5

extract_macaroons() isn't validating its input data in sufficient manner. It's assuming that any valid b64 encoded JSON is an array of objects for instance. This results in unexpected AttributeErrors and TypeErrors. Two examples below:

>>> cookie_val = base64.b64encode(json.dumps({'a': 'b'}).encode('utf-8')).decode()
>>> cookie_val
'eyJhIjogImIifQ=='
>>> httpbakery.extract_macaroons({'Cookie': 'macaroon-1={}'.format(cookie_val)})
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "xyz/lib/python3.5/site-packages/macaroonbakery/httpbakery/_client.py", line 341, in extract_macaroons 
    add_macaroon(cs[c].value)
  File "xyz/lib/python3.5/site-packages/macaroonbakery/httpbakery/_client.py", line 329, in add_macaroon 
    ms = [utils.macaroon_from_dict(x) for x in data_as_objs]
  File "xyz/lib/python3.5/site-packages/macaroonbakery/httpbakery/_client.py", line 329, in <listcomp>
    ms = [utils.macaroon_from_dict(x) for x in data_as_objs]
  File "xyz/lib/python3.5/site-packages/macaroonbakery/_utils/__init__.py", line 38, in macaroon_from_dict 
    json_serializer.JsonSerializer())
  File "xyz/lib/python3.5/site-packages/pymacaroons/macaroon.py", line 47, in deserialize
    return serializer.deserialize(serialized)
  File "xyz/lib/python3.5/site-packages/pymacaroons/serializers/json_serializer.py", line 64, in deserialize
    if deserialized.get('identifier') is None:
AttributeError: 'str' object has no attribute 'get'
>>> 
>>> cookie_val = base64.b64encode(json.dumps([{'a': 'b'}]).encode('utf-8')).decode()
>>> cookie_val
'W3siYSI6ICJiIn1d'
>>> httpbakery.extract_macaroons({'Cookie': 'macaroon-1={}'.format(cookie_val)})
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "xyz/lib/python3.5/site-packages/macaroonbakery/httpbakery/_client.py", line 341, in extract_macaroons 
    add_macaroon(cs[c].value)
  File "xyz/lib/python3.5/site-packages/macaroonbakery/httpbakery/_client.py", line 329, in add_macaroon 
    ms = [utils.macaroon_from_dict(x) for x in data_as_objs]
  File "xyz/lib/python3.5/site-packages/macaroonbakery/httpbakery/_client.py", line 329, in <listcomp>
    ms = [utils.macaroon_from_dict(x) for x in data_as_objs]
  File "xyz/lib/python3.5/site-packages/macaroonbakery/_utils/__init__.py", line 38, in macaroon_from_dict 
    json_serializer.JsonSerializer())
  File "xyz/lib/python3.5/site-packages/pymacaroons/macaroon.py", line 47, in deserialize
    return serializer.deserialize(serialized)
  File "xyz/lib/python3.5/site-packages/pymacaroons/serializers/json_serializer.py", line 65, in deserialize
    return self._deserialize_v2(deserialized)
  File "xyz/lib/python3.5/site-packages/pymacaroons/serializers/json_serializer.py", line 123, in _deserialize_v2
    _read_json_binary_field(deserialized, 's')),
TypeError: a bytes-like object is required, not 'NoneType'

[fabricematrat]

@suligap which error do you think you should get ? ValueError in those cases ?

[suligap]

Hi @fabricematrat! Thanks for taking a look.

I'm not sure how feasible that would be, but looking at how extract_macaroons() handles macaroon-* cookies that aren't valid JSON or base64, maybe it would make sense for the end result to be the same? That is, the cookie is ignored?