Fail on malformed JSON payloads in register endpoint (#24)

This commit is contained in:
Joona Hoikkala 2017-11-15 13:52:27 +02:00 committed by GitHub
parent 02d42bff30
commit b0cd264c71
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 58 additions and 8 deletions

14
api.go
View File

@ -3,6 +3,7 @@ package main
import ( import (
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil"
"net/http" "net/http"
"github.com/julienschmidt/httprouter" "github.com/julienschmidt/httprouter"
@ -22,7 +23,18 @@ func webRegisterPost(w http.ResponseWriter, r *http.Request, _ httprouter.Params
var regStatus int var regStatus int
var reg []byte var reg []byte
aTXT := ACMETxt{} aTXT := ACMETxt{}
json.NewDecoder(r.Body).Decode(&aTXT) bdata, _ := ioutil.ReadAll(r.Body)
if bdata != nil && len(bdata) > 0 {
err := json.Unmarshal(bdata, &aTXT)
if err != nil {
regStatus = http.StatusBadRequest
reg = jsonError("malformed_json_payload")
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(regStatus)
w.Write(reg)
return
}
}
// Create new user // Create new user
nu, err := DB.Register(aTXT.AllowFrom) nu, err := DB.Register(aTXT.AllowFrom)
if err != nil { if err != nil {

View File

@ -35,6 +35,17 @@ func noAuth(update httprouter.Handle) httprouter.Handle {
} }
} }
func getExpect(t *testing.T, server *httptest.Server) *httpexpect.Expect {
return httpexpect.WithConfig(httpexpect.Config{
BaseURL: server.URL,
Reporter: httpexpect.NewAssertReporter(t),
Printers: []httpexpect.Printer{
httpexpect.NewCurlPrinter(t),
httpexpect.NewDebugPrinter(t, true),
},
})
}
func setupRouter(debug bool, noauth bool) http.Handler { func setupRouter(debug bool, noauth bool) http.Handler {
api := httprouter.New() api := httprouter.New()
var dbcfg = dbsettings{ var dbcfg = dbsettings{
@ -72,7 +83,7 @@ func TestApiRegister(t *testing.T) {
router := setupRouter(false, false) router := setupRouter(false, false)
server := httptest.NewServer(router) server := httptest.NewServer(router)
defer server.Close() defer server.Close()
e := httpexpect.New(t, server.URL) e := getExpect(t, server)
e.POST("/register").Expect(). e.POST("/register").Expect().
Status(http.StatusCreated). Status(http.StatusCreated).
JSON().Object(). JSON().Object().
@ -103,11 +114,38 @@ func TestApiRegister(t *testing.T) {
response.Value("allowfrom").Array().Elements("123.123.123.123/32") response.Value("allowfrom").Array().Elements("123.123.123.123/32")
} }
func TestApiRegisterMalformedJSON(t *testing.T) {
router := setupRouter(false, false)
server := httptest.NewServer(router)
defer server.Close()
e := getExpect(t, server)
malPayloads := []string{
"{\"allowfrom': '1.1.1.1/32'}",
"\"allowfrom\": \"1.1.1.1/32\"",
"{\"allowfrom\": \"[1.1.1.1/32]\"",
"\"allowfrom\": \"1.1.1.1/32\"}",
"{allowfrom: \"1.2.3.4\"}",
"{allowfrom: [1.2.3.4]}",
"whatever that's not a json payload",
}
for _, test := range malPayloads {
e.POST("/register").
WithBytes([]byte(test)).
Expect().
Status(http.StatusBadRequest).
JSON().Object().
ContainsKey("error").
NotContainsKey("subdomain").
NotContainsKey("username")
}
}
func TestApiRegisterWithMockDB(t *testing.T) { func TestApiRegisterWithMockDB(t *testing.T) {
router := setupRouter(false, false) router := setupRouter(false, false)
server := httptest.NewServer(router) server := httptest.NewServer(router)
defer server.Close() defer server.Close()
e := httpexpect.New(t, server.URL) e := getExpect(t, server)
oldDb := DB.GetBackend() oldDb := DB.GetBackend()
db, mock, _ := sqlmock.New() db, mock, _ := sqlmock.New()
DB.SetBackend(db) DB.SetBackend(db)
@ -125,7 +163,7 @@ func TestApiUpdateWithoutCredentials(t *testing.T) {
router := setupRouter(false, false) router := setupRouter(false, false)
server := httptest.NewServer(router) server := httptest.NewServer(router)
defer server.Close() defer server.Close()
e := httpexpect.New(t, server.URL) e := getExpect(t, server)
e.POST("/update").Expect(). e.POST("/update").Expect().
Status(http.StatusUnauthorized). Status(http.StatusUnauthorized).
JSON().Object(). JSON().Object().
@ -143,7 +181,7 @@ func TestApiUpdateWithCredentials(t *testing.T) {
router := setupRouter(false, false) router := setupRouter(false, false)
server := httptest.NewServer(router) server := httptest.NewServer(router)
defer server.Close() defer server.Close()
e := httpexpect.New(t, server.URL) e := getExpect(t, server)
newUser, err := DB.Register(cidrslice{}) newUser, err := DB.Register(cidrslice{})
if err != nil { if err != nil {
t.Errorf("Could not create new user, got error [%v]", err) t.Errorf("Could not create new user, got error [%v]", err)
@ -176,7 +214,7 @@ func TestApiUpdateWithCredentialsMockDB(t *testing.T) {
router := setupRouter(false, true) router := setupRouter(false, true)
server := httptest.NewServer(router) server := httptest.NewServer(router)
defer server.Close() defer server.Close()
e := httpexpect.New(t, server.URL) e := getExpect(t, server)
oldDb := DB.GetBackend() oldDb := DB.GetBackend()
db, mock, _ := sqlmock.New() db, mock, _ := sqlmock.New()
DB.SetBackend(db) DB.SetBackend(db)
@ -202,7 +240,7 @@ func TestApiManyUpdateWithCredentials(t *testing.T) {
router := setupRouter(true, false) router := setupRouter(true, false)
server := httptest.NewServer(router) server := httptest.NewServer(router)
defer server.Close() defer server.Close()
e := httpexpect.New(t, server.URL) e := getExpect(t, server)
// User without defined CIDR masks // User without defined CIDR masks
newUser, err := DB.Register(cidrslice{}) newUser, err := DB.Register(cidrslice{})
if err != nil { if err != nil {
@ -262,7 +300,7 @@ func TestApiManyUpdateWithIpCheckHeaders(t *testing.T) {
router := setupRouter(false, false) router := setupRouter(false, false)
server := httptest.NewServer(router) server := httptest.NewServer(router)
defer server.Close() defer server.Close()
e := httpexpect.New(t, server.URL) e := getExpect(t, server)
// Use header checks from default header (X-Forwarded-For) // Use header checks from default header (X-Forwarded-For)
Config.API.UseHeader = true Config.API.UseHeader = true
// User without defined CIDR masks // User without defined CIDR masks