Skip to content

Commit

Permalink
Guard against non-xml releases in xml get_update_blob (#3081)
Browse files Browse the repository at this point in the history 
Fixes #3069
  • Loading branch information
@jcristau
jcristau committed Dec 20, 2023
1 parent e18b83a commit 4a471a0
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 1 deletion.
5 changes: 4 additions & 1 deletion src/auslib/web/public/client.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@
from flask import make_response

from auslib.AUS import FORCE_FALLBACK_MAPPING, FORCE_MAIN_MAPPING
from auslib.blobs.base import createBlob
from auslib.blobs.base import XMLBlob, createBlob
from auslib.errors import BadDataError
from auslib.global_state import dbo
from auslib.services import releases
from auslib.web.public.helpers import AUS, get_aus_metadata_headers, get_content_signature_headers, with_transaction
Expand Down Expand Up @@ -147,6 +148,8 @@ def get_update_blob(transaction, **url):

# passing {},None returns empty xml
if release:
if not isinstance(release, XMLBlob):
raise BadDataError("Wrong blob type")
response_products = release.getResponseProducts()
response_blobs = []
response_blob_names = release.getResponseBlobs()
Expand Down
6 changes: 6 additions & 0 deletions tests/web/test_json.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -457,3 +457,9 @@ def testGuardianResponseV2WithGradualRollout(client, forceValue, response):
assert ret.get_json() == response
assert ret.headers["Content-Signature"] == "x5u=https://this.is/a.x5u; p384ecdsa=abcdef"
auslib.web.public.helpers.make_hash.assert_called_once_with(ret.text)


@pytest.mark.usefixtures("guardian_db")
def testXMLForGuardianBlob(client):
ret = client.get("/update/1/Guardian/0.4.0.0/default/WINNT_x86_64/en-US/release/update.xml")
assert ret.status_code == 400

0 comments on commit 4a471a0

Please sign in to comment.