entries have addition unset fields #176
Comments
|
This is happening on my site as well. I renamed the field as a workaround in the meantime. |
|
Just made a quick test and it's confirmed here too: |
|
I made another test and the |
|
Noticing the same thing across a couple repos. Not exactly sure how to reproduce it as it doesn't always happen. The only common pattern I've noticed is Example: _id: 41f07470-17bf-11e8-b61b-7b344215416b
message: ' '
url: ''
approved: false
title: Comment
layout: postmmistakes/made-mistakes-jekyll@25eef09 |
|
This is bizarre. I’m not testing any new feature (and wouldn’t do so on the live API anyway). I’ll try to look into this in the next couple of days. |
|
Trying to find a pattern common to people having this issue. Do you have moderation enabled or disabled? Are you all using Jekyll?
|
|
This happened to me using Hexo with moderation enabled. However, the issue disappeared a week ago when i added new fields. |
|
Jekyll and moderation on both sites. The strange thing is one doesn’t have a |
|
shouldn't the "allowedFields" parameters cause staticman to deny any extra fields submitted? |
|
I'm trying to capture the actual post request and response in my browser's developer tools, but of course I can't even duplicate the bug right now. |
|
details for me: GitHub pages (Jekyll), StaticMan V2, moderation enabled |
|
Details: GitHub Pages (Jekyll), Staticman V2, Moderation enabled. Right now I can't replicate the bug. The last time I could was 2 days ago, where the |
|
I'm using Hugo with Staticman V2, moderation enabled. Observed additional fields varies from entry to entry. But all the entries were created by spam bots this year. Some of the fields are |
|
Sorry for the slow response from my part on this issue. This is a really difficult issue to replicate. First of all, has anyone seen an instance of this where the submission was not sent by a spam bot? This is important to understand whether Staticman is simply processing the fields it receives, or whether it's somehow injecting random fields on its own (I think the latter is very unlikely). Also, can each of you confirm whether you're using This doesn't explain, however, reports of extra fields being added with content (e.g. |
|
Yes I am, in Actually, the first example given by @hendrixjoseph is what you are looking for: the popcorn site has |
Are you able to replicate this yourself? |
|
No, I cannot. All the pull requests in my repo with this problem were submitted by spam bots. |
|
I really don't understand how they are coming through. 😞 |
|
I have added some logging at request level for debugging, so I'll keep an eye on it in the next few days to see what's up. |
|
So another new comment went through 3 hours ago, I wonder if you caught it in log. The file content is as follows: _id: e7b19280-2b5c-11e8-86f2-611b1a84ae15
content: "I Ԁdo know!? Sɑid Larry. ?I wager he likes angeⅼs aas a reѕult of hhe has \r\ntheem around all of the time. Possibly he and thе \r\nangels play houseһold gaеs like we do sometіmes. Possibly they play \r\nMonopoly.? This mwde Mommy chortle really hard."
name: example.net
email: 29218ddb8706250663d6999551c2c519
url: 'http://example.net/'
date: 1521453866
layout: postNotice: I've replaced the website URL and user name with an example domain, other characters remain unchanged. |
|
@JokerQyou Can you show me the contents of your |
|
I made a test comment to the Popcorn demo site earlier today, and noticed it was leaking |
|
This is super useful information, thank you both. I'll keep working on tracking it down. |
|
comments:
allowedFields: ["name", "email", "url", "content", "reply_to"]
allowedOrigins: ["example.net"]
branch: "master"
commitMessage: "Staticman: new comment posted"
filename: "comment-{@timestamp}"
format: "yml"
extension: "yaml"
generatedFields:
date:
type: date
options:
format: "timestamp-seconds"
moderation: true
name: "XXX"
path: "data/comments/{options.entryId}"
requiredFields: ["name", "email", "content"]
transforms:
email: md5
|
|
For a while the problem seemed to vanish, but seeing the updates here I tested once again and the extra fields are being injected. No spam bots, just submitting manually from this page. staticman.yml: test:
allowedFields: ["name", "age"]
branch: "master"
filename: "{@id}"
format: "json"
moderation: true
path: "_data/test"
requiredFields: ["name", "age"]Last pull request from Staticman: https://github.com/IanCaio/staticmanapptest/pull/16 |
|
I'm really sorry, but I haven't had the time to look into this. I'm starting to think that keeping a public instance of Staticman isn't feasible unless there's more people available to look after it. @chmac The public instance is running on Heroku. I appreciate all the time everyone is putting into tracking this down and, again, apologies for my lack of availability to look into this. |
|
@eduardoboucas Totally understand, open source is hard, especially infrastructure. Really appreciate all the work you've put in already. I'm definitely happy to debug. Can I see logs on heroku? That would be only challenge. You can also lock |
Log `fields` multiple times per request. #176
|
I've added more debugging calls. But now that the app has been restarted, the problem has disappeared. I think it will only appear after some time. If you see this issue from now on, please let me know ASAP and hopefully the extra logs will shed some light on the issue. For now, I guess all we can do is wait... |
This should remove all of the `logger.info()` calls we used to track down eduardoboucas#176.
This should remove all of the `logger.info()` calls we used to track down eduardoboucas#176.
…ig tests This change primarily addresses the Staticman tests. It appears that most Staticman tests had been ignored by accident via an errant `jest.only` and were not actually running. Some of the site config tests were also failing and logging unnecessarily (this is due to a log statement from eduardoboucas#176 still remaining in the codebase). The site config test helper `getConfig` has also been refactored to remove the special handling of the `recaptcha.secret`. Upon removal there doesn't seem to have been any notable problems and tests are passing (after some cleanup in relevant areas).
|
Any idea if this issue is really fixed? I'm still getting dozens of spam per week, with empty fields added to the list of allowed ones. I've set up a honeypot on my site but no luck so far, the spam keeps getting through. |
|
@fbnlsr what is the site / repo you're getting this issue on? |
|
@hendrixjoseph The site is https://www.primative.net The repo is here: https://github.com/fbnlsr/primative.net |
|
@fbnlsr I had a quick look at your repo and the closed PRs, but I couldn't find any comments with additional fields added. I saw spam, but only your specified fields. Can you point us at a PR which has the extra fields? |
|
You're right, I might have confused additional fields with how GitHub presents the PR and formats the table. I guess I need to work on my spam filter then, I've set up a honeypot but it seems it's not enough :( |
|
I am real aware of the spam issue, could not stop it so I switched to disqus, even with recaptcha and honey pots and form validation js = spam spam... |
Staticman entries are having fields that are not set. For instance, with this entry on the popcorn demo site:
eduardoboucas/popcorn#2220
It has fields "layout" and "message" which, as far as I can tell, should not be there. For instance, this older entry does not have these extra fields:
eduardoboucas/popcorn#2196
It also seems these fields are overwriting any fields that have the same name. This entry on my site:
hendrixjoseph/hendrixjoseph.github.io#135
Has a blank entry for "message" which should not be empty.
The text was updated successfully, but these errors were encountered: