F
Filament4w ago
AlAdler

Stumbled on an interesting bug today

A member of the team reported that when trying to create a record, the page becomes unresponsive and does not create the record. I was able to reproduce only by grabbing the exact text they were putting in one of the text fields in the form and it generated the console error: 
Uncaught (in promise) SyntaxError: Unexpected end of JSON input
    at JSON.parse (<anonymous>)
    at Xo (index.js:163:39)
    at async Vt.send (pool.js:44:9)
Uncaught (in promise) SyntaxError: Unexpected end of JSON input
    at JSON.parse (<anonymous>)
    at Xo (index.js:163:39)
    at async Vt.send (pool.js:44:9)
At that moment the entire page is broken, you can't do anything other than refresh the tab. I started playing with the input and after a while I discovered that what causes the error is the string containing ../ or ..\. Has anybody seen such thing before? Is there something deep inside Livewire or Filament that is confusing this with a path? Maybe a path traversal vulnerability? Thanks!
No description
Solution:
It was the WAF blocking the request 🤦‍♂️
Jump to solution
6 Replies
Dennis Koch
Dennis Koch4w ago
What’s the actual response?
LeandroFerreira
LeandroFerreira3w ago
that works on my end v3.3.37
No description
No description
AlAdler
AlAdlerOP3w ago
The response body is empty and the response status is 202 (normally it's 200)
Dennis Koch
Dennis Koch3w ago
That doesn’t sound like anything Livewire would send.
AlAdler
AlAdlerOP3w ago
Yeah, i'm perplexed, don't even know where to start looking...
Solution
AlAdler
AlAdler3w ago
It was the WAF blocking the request 🤦‍♂️

Did you find this page helpful?