Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Merge pull request #179 from zalun/bug_824896-add_whitelist_extra_json

Raise custom exception KeyNotAllowed if one of extra_json keys is not al...
  • Loading branch information...
commit 10f3cff8b12ada4b1794d4eceffe162dc4093b14 2 parents f57f351 + 361af44
@seanmonstar seanmonstar authored
View
15 apps/jetpack/errors.py
@@ -16,12 +16,15 @@ class DependencyException(SimpleException):
class FilenameExistException(SimpleException):
" This filename already exists - it has to be unique "
+
class IllegalFilenameException(SimpleException):
" This filename contains illegal characters "
+
class IllegalFileException(SimpleException):
" This file is not allowed "
+
class UpdateDeniedException(SimpleException):
" This item may not be updated "
@@ -29,9 +32,11 @@ class UpdateDeniedException(SimpleException):
class AddingAttachmentDenied(SimpleException):
" Attachment may not be added "
+
class AttachmentWriteException(SimpleException):
" Attachment failed to properly save to disk "
+
class AddingModuleDenied(SimpleException):
" Modulke may not be added "
@@ -42,3 +47,13 @@ class SingletonCopyException(SimpleException):
class ManifestNotValid(SimpleException):
" Upload failed due to package.json malfunction "
+
+
+class KeyNotAllowed(SimpleException):
+ " Package keys are whitelisted. "
+
+ def __init__(self, allowed_keys):
+ value = ('Invalid key.<br/>'
+ 'allowed keys: %s'
+ ) % ', '.join(allowed_keys)
+ super(KeyNotAllowed, self).__init__(value)
View
13 apps/jetpack/models.py
@@ -47,7 +47,8 @@
from jetpack.errors import (SelfDependencyException, FilenameExistException,
UpdateDeniedException, SingletonCopyException,
DependencyException, AttachmentWriteException,
- IllegalFilenameException, IllegalFileException)
+ IllegalFilenameException, IllegalFileException,
+ KeyNotAllowed)
from jetpack.managers import SDKManager, PackageManager
from utils import validator
@@ -789,6 +790,14 @@ def set_version(self, version_name, current=True):
return super(PackageRevision, self).save()
+ @staticmethod
+ def validate_extra_json(extra_json):
+ allowed_keys = ('contributors', 'homepage', 'icon', 'icon64',
+ 'preferences', 'license')
+ for key in extra_json.keys():
+ if key not in allowed_keys:
+ raise KeyNotAllowed(allowed_keys)
+
def set_extra_json(self, extra_json, save=True):
"""
Sets self.extra_json, adds commit message, and saves revision
@@ -801,6 +810,8 @@ def set_extra_json(self, extra_json, save=True):
if extra_json:
# check for valid JSON, plus clean out filenames
json = simplejson.loads(extra_json)
+ # check if the keys are allowed
+ PackageRevision.validate_extra_json(json)
# possible file names: icon, icon64
# also possibly lib, tests, main, but FlightDeck overrides
properties_to_check = ('icon', 'icon64',)
View
4 apps/jetpack/views.py
@@ -45,7 +45,7 @@
from jetpack.models import (Package, PackageRevision, Module, Attachment, SDK,
EmptyDir, EDITABLE_EXTENSIONS)
from jetpack.errors import (FilenameExistException, DependencyException,
- IllegalFilenameException)
+ IllegalFilenameException, KeyNotAllowed)
from person.models import Profile
@@ -940,6 +940,8 @@ def save(request, revision_id, type_id=None):
'Extra package properties were invalid JSON.')
except IllegalFilenameException, e:
return HttpResponseBadRequest(str(e))
+ except KeyNotAllowed, e:
+ return HttpResponseForbidden(str(e))
response_data['package_extra_json'] = extra_json
Please sign in to comment.
Something went wrong with that request. Please try again.