Skip to content
Permalink
Browse files

PREvants rejects request for app names with spaces and slashes in it

  • Loading branch information...
schrieveslaach committed Jul 10, 2019
1 parent ddc4d4e commit 0e3de1f6ce3bfea59130fa3c4f47332bb9ee4b1b
Showing with 593 additions and 392 deletions.
  1. +434 −381 api/Cargo.lock
  2. +3 −2 api/Cargo.toml
  3. +9 −5 api/src/apps.rs
  4. +2 −0 api/src/main.rs
  5. +137 −0 api/src/models/app_name.rs
  6. +3 −0 api/src/models/mod.rs
  7. +2 −2 api/src/services/service_templating.rs
  8. +3 −2 api/src/webhooks.rs

Large diffs are not rendered by default.

@@ -17,6 +17,7 @@ failure = "0.1"
futures = "0.1"
handlebars = "1.1"
hyper = "0.10"
lazy_static = "1.3"
log = "0.4"
multimap = "0.4"
serde = "1.0"
@@ -45,8 +46,8 @@ version = "0.12"
features = ["with_rocket"]

[dependencies.shiplift]
git = "https://github.com/schrieveslaach/shiplift.git"
rev = "5b775124537e78c1db307230c45c1f91e1d8353b"
git = "https://github.com/softprops/shiplift.git"
rev = "7d9718b33764dea4a85859e94337e471de091332"
default-features = false
features = ["unix-socket"]

@@ -26,11 +26,11 @@

use crate::models::request_info::RequestInfo;
use crate::models::service::{Service, ServiceConfig};
use crate::models::{AppName, AppNameError};
use crate::services::apps_service::AppsService;
use http_api_problem::HttpApiProblem;
use multimap::MultiMap;
use rocket::data::{self, FromDataSimple};
use rocket::http::RawStr;
use rocket::http::Status;
use rocket::request::{Form, Request};
use rocket::Outcome::{Failure, Success};
@@ -57,11 +57,13 @@ pub fn apps(

#[delete("/apps/<app_name>", format = "application/json")]
pub fn delete_app(
app_name: &RawStr,
app_name: Result<AppName, AppNameError>,
apps_service: State<AppsService>,
request_info: RequestInfo,
) -> Result<Json<Vec<Service>>, HttpApiProblem> {
let mut services = apps_service.delete_app(&app_name.to_string())?;
let app_name = app_name?;

let mut services = apps_service.delete_app(&app_name)?;

for service in services.iter_mut() {
service.set_base_url(request_info.get_base_url());
@@ -76,14 +78,16 @@ pub fn delete_app(
data = "<service_configs_data>"
)]
pub fn create_app(
app_name: &RawStr,
app_name: Result<AppName, AppNameError>,
apps_service: State<AppsService>,
create_app_form: Form<CreateAppOptions>,
request_info: RequestInfo,
service_configs_data: ServiceConfigsData,
) -> Result<Json<Vec<Service>>, HttpApiProblem> {
let app_name = app_name?;

let mut services = apps_service.create_or_update(
&app_name.to_string(),
&app_name,
create_app_form.replicate_from().clone(),
&service_configs_data.service_configs,
)?;
@@ -33,6 +33,8 @@ extern crate clap;
#[macro_use]
extern crate failure;
#[macro_use]
extern crate lazy_static;
#[macro_use]
extern crate log;
#[macro_use]
extern crate rocket;
@@ -0,0 +1,137 @@
/*-
* ========================LICENSE_START=================================
* PREvant REST API
* %%
* Copyright (C) 2018 - 2019 aixigo AG
* %%
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
* =========================LICENSE_END==================================
*/

use http_api_problem::{HttpApiProblem, StatusCode};
use regex::Regex;
use rocket::http::RawStr;
use rocket::request::FromParam;
use std::collections::HashSet;
use std::ops::Deref;
use std::str::{FromStr, Utf8Error};

#[derive(Debug)]
pub struct AppName(String);

impl Deref for AppName {
type Target = String;

fn deref(&self) -> &Self::Target {
&self.0
}
}

impl FromStr for AppName {
type Err = AppNameError;

fn from_str(name: &str) -> Result<Self, Self::Err> {
lazy_static! {
static ref INVALID_CHARS_REGEX: Regex = Regex::new("(\\s|/)").unwrap();
}

match INVALID_CHARS_REGEX.captures(name) {
None => Ok(AppName(name.to_string())),
Some(captures) => {
let invalid_chars = captures
.iter()
.filter_map(|c| c)
.map(|c| c.as_str())
.collect::<HashSet<&str>>()
.into_iter()
.collect::<Vec<&str>>()
.join("");

return Err(AppNameError::InvalidChars { invalid_chars });
}
}
}
}

impl<'r> FromParam<'r> for AppName {
type Error = AppNameError;

fn from_param(param: &'r RawStr) -> Result<Self, Self::Error> {
AppName::from_str(&param.url_decode()?)
}
}

#[derive(Debug, Fail)]
pub enum AppNameError {
#[fail(
display = "Invalid characters in app name: “{}” are invalid.",
invalid_chars
)]
InvalidChars { invalid_chars: String },
#[fail(display = "Invalid url encoded parameter: {}", err)]
InvalidUrlDecodedParam { err: String },
}

impl From<Utf8Error> for AppNameError {
fn from(err: Utf8Error) -> Self {
AppNameError::InvalidUrlDecodedParam {
err: format!("{}", err),
}
}
}

impl From<AppNameError> for HttpApiProblem {
fn from(err: AppNameError) -> Self {
HttpApiProblem::with_title_from_status(StatusCode::BAD_REQUEST)
.set_detail(format!("{}", err))
}
}

#[cfg(test)]
mod tests {
use super::*;

#[test]
fn should_create_app_name_from_str() {
let app_name = AppName::from_str("master").unwrap();

assert_eq!(app_name.0, "master");
}

#[test]
fn should_create_app_name_from_utf_str() {
let app_name = AppName::from_str("Üߥ$Ω").unwrap();

assert_eq!(app_name.0, "Üߥ$Ω");
}

#[test]
fn should_not_create_app_name_app_name_contains_whitespaces() {
let app_name = AppName::from_str(" master\n ");

assert!(app_name.is_err());
}

#[test]
fn should_not_create_app_name_app_name_contains_slashes() {
let app_name = AppName::from_str("feature/xxx");

assert!(app_name.is_err());
}
}
@@ -24,6 +24,9 @@
* =========================LICENSE_END==================================
*/

pub use app_name::{AppName, AppNameError};

mod app_name;
pub mod request_info;
pub mod service;
pub mod ticket_info;
@@ -115,7 +115,7 @@ fn is_not_companion<'reg, 'rc>(
r: &'reg Handlebars,
ctx: &Context,
rc: &mut RenderContext<'reg>,
out: &mut Output,
out: &mut dyn Output,
) -> HelperResult {
let s = h
.param(0)
@@ -143,7 +143,7 @@ fn is_companion<'reg, 'rc>(
r: &'reg Handlebars,
ctx: &Context,
rc: &mut RenderContext<'reg>,
out: &mut Output,
out: &mut dyn Output,
) -> HelperResult {
let s = h
.param(0)
@@ -28,11 +28,12 @@ use crate::apps::delete_app;
use crate::models::request_info::RequestInfo;
use crate::models::service::Service;
use crate::models::web_hook_info::WebHookInfo;
use crate::models::AppName;
use crate::services::apps_service::AppsService;
use http_api_problem::HttpApiProblem;
use rocket::http::RawStr;
use rocket::State;
use rocket_contrib::json::Json;
use std::str::FromStr;

#[post("/webhooks", format = "application/json", data = "<web_hook_info>")]
pub fn webhooks(
@@ -48,7 +49,7 @@ pub fn webhooks(
);

delete_app(
&RawStr::from_str(&web_hook_info.get_app_name()),
AppName::from_str(&web_hook_info.get_app_name()),
apps_service,
request_info,
)

0 comments on commit 0e3de1f

Please sign in to comment.
You can’t perform that action at this time.