Webhook error

Hello, hoping someone has suggestions to get around a Sugar error/bug (https://portal.sugarondemand.com/#supp_Bugs/82879)  that hasn't been addressed.

We've created several webhooks to fire when we add/update several types of records (Contacts, Accounts, etc.). We've found that if the record in the specific module is being updated, the webhook fires correctly and passes the appropriate JSON info to the destination. However, if the record is being ADDed for the first time, the webhook is called but eventually times out and upon investigation, it looks like Sugar is trying to send over 100MB of data.

The record is created in Sugar - of course because the webhook is firing after update - but since the webhook fails, the subsequent call to our targets fail.

This is a known error to Sugar (since version 9) and hard to imagine that they wouldn't have addressed this break of core functionality - but they haven't.  They can't or won't recommend work-arounds and have no comment on when or if they will address the issue.

In another club discussion, someone recommended upping the limits in our MySQL to handle 100MB+ of data.  That's not a good answer for us - we don't want to send 100MB+ on every one of our transactions.

Does anyone have any suggestions - that don't involve buying third-party products - to get around this issue?  Thanks very much.

Bob

Parents
  • I reported the bug as a security bug 1.5 years ago.
    Examine the 100MB data sent out and you will know why.
    I guess we should be happy that it is already being worked on. There are security related bugs that have waited even longer for a fix after internal disclosure. See their security advisories to see how fast security related bugs are fixed after (internal) disclosure.

Reply
  • I reported the bug as a security bug 1.5 years ago.
    Examine the 100MB data sent out and you will know why.
    I guess we should be happy that it is already being worked on. There are security related bugs that have waited even longer for a fix after internal disclosure. See their security advisories to see how fast security related bugs are fixed after (internal) disclosure.

Children
  • This is an excellent observation and a valid question and concern.

    The data does contain a security vulnerability. The important distinction though is between a vulnerability and a risk level/threat level. The risk level is Very Low.

    The fact that this breaks Web Logic Hooks is more critical than the security aspect, and the fact that web hooks are in relatively low use and less-used when broken ends up causing the risk level to be even lower. Together these factors resulted in lower priority of the bug at the time it was reported.

    Specifically, the only risk factor we are aware of in this particular bug is a breach of trust on the transport to the web hook's fielding server and on that server itself. The feature can only be enabled by admins on the Sugar instance, and an admin has access to other methods of acquisition of the released data that are much easier. 

    Not all bugs are of equal importance, and this applies to security bugs as well. A security bug with a low or zero risk is not priority or may not be fixed at all depending on the tradeoff costs.

    A person's elbow is vulnerable to injury. That is a vulnerability. If there is a higher risk (sports, for example), then fixes (pads) would be applied. However most humans have unpatched (unpadded) elbows due to a low risk level and the tradeoff cost (lack of flexibility, cost of the pads, odd looks) of wearing elbow pads everywhere.

    If you are aware of factors that would increase the risk level - for this or any other security issue you have reported or are aware of -  we will always accept that information and add it to our assessment, then take action as needed.

    We take security seriously, and security is a balance. If a security bug has a high risk level or is a substantial threat, then it is address quickly and hotfixed in many cases. If you don't see movement on a security concern, our analysis considers it to be as much risk to SugarCRM users as a bare elbow is a risk of injury to an average person.