stac-server icon indicating copy to clipboard operation
stac-server copied to clipboard

Forbidden error thrown when `limit` is only keyword in POST query

Open matthewhanson opened this issue 3 years ago • 2 comments

When only providing the limit keyword it works fine with GET:

https://earth-search.aws.element84.com/v1/search?limit=10

but POST throws an error when only the limit keyword is provided. Use pystac-client to test

stac-client search https://earth-search.aws.element84.com/v1 --matched --logging DEBUG
DEBUG:pystac_client.stac_api_io:POST https://earth-search.aws.element84.com/v1/search Headers: {'User-Agent': 'python-requests/2.28.1', 'Accept-Encoding': 'gzip, deflate, br', 'Accept': '*/*', 'Connection': 'keep-alive', 'Content-Length': '14', 'Content-Type': 'application/json'} Payload: {"limit": 100}
{"message":"Forbidden"}

In contrast, this works

stac-client search https://earth-search.aws.element84.com/v1 --matched -c sentinel-2-l2a --logging DEBUG
DEBUG:pystac_client.stac_api_io:GET https://earth-search.aws.element84.com/v1 Headers: {'User-Agent': 'python-requests/2.28.1', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive'}
DEBUG:pystac_client.stac_api_io:POST https://earth-search.aws.element84.com/v1/search Headers: {'User-Agent': 'python-requests/2.28.1', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'Content-Length': '47', 'Content-Type': 'application/json'} Payload: {"limit": 1, "collections": ["sentinel-2-l2a"]}

We also see this behavior in landsatlook, which also uses stac-server, although it manifests as a CloudFront error rather than Forbidden due to their configuration.

stac-client search https://landsatlook.usgs.gov/stac-server --matched --logging DEBUG
stac-client search https://landsatlook.usgs.gov/stac-server -c landsat-c2l2-sr --matched --logging DEBUG

matthewhanson avatar Nov 18 '22 17:11 matthewhanson

@matthewhanson I've seen an error similar to this when the WAF "Prevent SQL injection" rules are in place. (It sees the "limit" in the body and thinks it's SQL.) That may or not be the cause here, but something to investigate.

marchuffnagle avatar Nov 21 '22 14:11 marchuffnagle

  • https://github.com/stac-utils/stac-server/issues/240

philvarner avatar Nov 21 '22 15:11 philvarner