Comments (5)
Hi. I'm in no way related to the team which develops the MSRC PowerShell module. I'm only a somewhat advanced Windows user. I can reproduce this issue on PowerShell 4.0. PowerShell 3.0 may be affected as well but Invoke-RestMethod
is broken in that version anyway.
The problem lies on the JsonObject class that Invoke-RestMethod
uses to convert the server response to a PowerShell object, provided the Content-Type header specifies "application/json". The ConvertFromJson method creates an instance of JavaScriptSerializer from the System.Web.Extensions assembly to deserialize the JSON-formatted response into a collection of arrays and dictionaries. This class has a MaxJsonLength property that is initialized to 2097152 characters by default. When the server response exceeds this limit, the Deserialize
method of JavaScriptSerializer
throws ArgumentException
. Invoke-RestMethod
discards this exception silently and returns the original string instead.
You may think ConvertFrom-Json
should do the trick, but it won't. In fact, ConvertFrom-Json
also relies on JsonObject
but it doesn't catch any exceptions. If you execute Get-MsrcCvrfDocument -ID 2017-Jun | ConvertFrom-Json
, the following error message appears: "Error during serialization or deserialization using the JSON JavaScriptSerializer. The length of the string exceeds the value set on the maxJsonLength property."
PowerShell 5.0 and 5.1 are not affected because JsonObject
raises the value of the MaxJsonLength
property to Int32.MaxValue
(2147483647). It is very unlikely to hit that limit in practice.
Workaround
If you can't upgrade your version of PowerShell, you can check if the data returned by Get-MsrcCvrfDocument
is a string (I believe $data -is [string]
should work), then create a JavaScriptSerializer
instance, set its MaxJsonLength
property to a sensible value and call DeserializeObject yourself. However, this is not enough. The JavaScriptSerializer
deserializer returns a collection which Get-MsrcSecurityBulletinHtml
and Get-MsrcVulnerabilityReportHtml
don't understand. Those collection objects must be converted to PowerShell objects first. JsonObject
does this transformation as part of its Deserialize methods, but the implementation is not accessible from outside.
Florian Feldhaus provides alternative helper functions in the Stack Overflow discussion ConvertFrom-Json max length. Chris Wahl discusses the problem as well in Deserializing Large JSON Payloads into a PowerShell Hashtable.
Important: the ParseJsonObject
function has a bug. When $item
equals zero, the if ($item)
test will evaluate to false. Therefore, the else block will assign $null
to $parsedItem
instead of the number zero. You might want to replace the entire if-else block with ParseItem $item
. The original code causes Get-MsrcVulnerabilityReportHtml
to emit a lot of "Could not determine the Impact from the Threats" warnings.
from msrc-microsoft-security-updates-api.
@rsola Thanks for digging though and finding out the root cause! I have to say, that was one of the best technical write ups i have read in a while!
from msrc-microsoft-security-updates-api.
Thanks for filing the issue, much appreciated!
Have you tried Get-MsrcVulnerabilityReportHtml? We've been putting more working that function and are considering removing the old one (Get-MsrcSecurityBulletinHtml).
Note: if we remove Get-MsrcSecurityBulletinHtml you will still be able to get it via older versions of the module on the PowerShell Gallery, like this:
Install-Module -Name MsrcSecurityUpdates -MaximumVersion 1.7.2
from msrc-microsoft-security-updates-api.
Thank you, @ms-AlexDavis! I appreciate your words. I encountered this problem myself and I wanted to know why it happened. Not everyone runs the latest, shiniest version of Windows PowerShell. 😉
I came here and I was lucky to find the message written by @mm1382. This situation encouraged me to research the problem and share my findings. Determining the root cause of an issue is sometimes hard but very rewarding. It is even more satisfying when you know you helped someone. English is not my native language, so writing for an international audience can be a bit of a challenge.
from msrc-microsoft-security-updates-api.
Thanks, @craig-martin
But, using Get-MsrcVulnerabilityReportHtml
instead of Get-MsrcSecurityBulletinHtml
as detailed in Microsoft Blog, throws the same error:
PS D:\WSUS-install> Get-MsrcCvrfDocument -ID 2017-Mar | Get-MsrcVulnerabilityReportHtml | Out-File -FilePath 2017-Mar-Cvrf-CVE-Summary.html
Get-MsrcVulnerabilityReportHtml : The input object cannot be bound to any parameters for the command either because
the command does not take pipeline input or the input and its properties do not match any of the parameters that take
pipeline input.
At line:1 char:37
- Get-MsrcCvrfDocument -ID 2017-Mar | Get-MsrcVulnerabilityReportHtml | Out-File - ...
-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- CategoryInfo : InvalidArgument: ({
"DocumentT...
}
]
}:PSObject) [Get-MsrcVulnerabilityReportHtml], ParameterBindingException - FullyQualifiedErrorId : InputObjectNotBound,Get-MsrcVulnerabilityReportHtml
- CategoryInfo : InvalidArgument: ({
from msrc-microsoft-security-updates-api.
Related Issues (20)
- APIs in python HOT 4
- Get-MsrcSecurityUpdate gives InternalServerError HOT 3
- This repo is missing important files HOT 1
- URL to get KB details https://support.microsoft.com/app/content/api/content/help/en-us/5018410 no longer working HOT 1
- Regarding https://api.msrc.microsoft.com/sug/v2.0/ HOT 2
- Servicing stack update SSUs missing from MSRC KB5011570 HOT 1
- Me
- April updates is showing January updates for this release as well HOT 1
- KB5022303 Listed as Remediation for Windows Server 2022 HOT 1
- CVE to KB mapping, revised date HOT 1
- Sept 12th after release, API didn't return full set of MSRC data HOT 3
- Any tips on how to save results/data as a flattened csv?
- Get-MsrcCvrfAffectedSoftware Returns to Remediation KB for Windows Server 2022 in 2023-Sep CvrfDoc
- Breaking change for GET /Updates and GET /Updates('{key}') HOT 1
- The cmdlet appears to have broke on the afternoon of 2/26 HOT 1
- some os FixedBuild is not right
- https://api.msrc.microsoft.com/updates down? HOT 1
- Add CWE info
- issue
- Is the service of this website "https://portal.msrc.microsoft.com/en-us/developer" no longer available?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from msrc-microsoft-security-updates-api.