restrict keys to be alphanumeric and >=32 chars

CHANGELOG.rst

@@ -1,4 +1,9 @@
 
+0.6.1
+-----
+
+- restrict keys to be alphanumberic and at least 32 chars long
+
 0.6
 ---
 

cchttpserver.py

@@ -1,4 +1,4 @@
-__version__ = "0.6.0"
+__version__ = "0.6.1"
 
 from flask import Flask, request
 from flask_httpauth import HTTPBasicAuth
@@ -38,6 +38,10 @@ def get(key):
     @app.route('/<key>', methods=["PUT"])
     @auth.login_required
     def put(key):
+        if len(key) < 32:
+            return "key needs to be at least 32 chars long", 400
+        if not key.isalnum():
+            return "key {!r} needs to consist of alpha-numeric characters".format(key), 400
         value = store.get(key)
         if value is not None:
             if value == request.data:

test_cchttpserver.py

@@ -1,4 +1,5 @@
 import base64
+import hashlib
 import pytest
 import cchttpserver
 
@@ -19,34 +20,38 @@ def app(tmpdir):
     return app.test_client()
 
 
+def get_key(data):
+    m = hashlib.md5()
+    m.update(data)
+    return m.hexdigest()
+
+
 def test_put_invalid_login(app):
     creds = base64.b64encode(b'a:wrongpass').decode('utf-8')
-    r = app.put('/asdf', data=b'123', headers={'Authorization': 'Basic ' + creds})
+    r = app.put('/' + get_key(b''), data=b'123', headers={'Authorization': 'Basic ' + creds})
     assert r.status_code == 401
     creds = base64.b64encode(b'qwe:pass').decode('utf-8')
-    r = app.put('/asdf', data=b'123', headers={'Authorization': 'Basic ' + creds})
+    r = app.put('/' + get_key(b''), data=b'123', headers={'Authorization': 'Basic ' + creds})
     assert r.status_code == 401
 
 
 def test_put_and_get_and_delete(app):
-    for data in (b"123", b"456"):
+    datalist = [b'1'*40, b'2'*40]
+    for data in datalist:
         creds = base64.b64encode(b'a:pass').decode('utf-8')
-        key = base64.b64encode(data).decode('utf-8')
-        r = app.put('/' + key, data=data, headers={'Authorization': 'Basic ' + creds})
+        r = app.put('/' + get_key(data), data=data, headers={'Authorization': 'Basic ' + creds})
         assert r.status_code == 200
 
-    for data in (b"123", b"456"):
-        key = base64.b64encode(data).decode('utf-8')
-        r = app.get('/' + key)
+    for data in datalist:
+        r = app.get('/' + get_key(data))
         assert r.status_code == 200
         assert r.get_data() == data
 
     r = app.delete('/a/', headers={'Authorization': 'Basic ' + creds})
     assert r.status_code == 200
 
-    for data in (b"123", b"456"):
-        key = base64.b64encode(data).decode('utf-8')
-        r = app.get('/' + key)
+    for data in datalist:
+        r = app.get('/' + get_key(data))
         assert r.status_code == 404
 
     r = app.delete('/a/', headers={'Authorization': 'Basic ' + creds})
@@ -56,13 +61,13 @@ def test_put_and_get_and_delete(app):
 def test_indicate_repetition(app):
     data = b"123"
     creds = base64.b64encode(b'a:pass').decode('utf-8')
-    r = app.put('/adsf', data=data, headers={'Authorization': 'Basic ' + creds})
-    r = app.put('/adsf', data=data, headers={'Authorization': 'Basic ' + creds})
+    r = app.put('/' + get_key(data), data=data, headers={'Authorization': 'Basic ' + creds})
+    r = app.put('/' + get_key(data), data=data, headers={'Authorization': 'Basic ' + creds})
     assert r.status_code == 202
 
 
 def test_signal_conflict_on_overwrite_attempt(app):
     creds = base64.b64encode(b'a:pass').decode('utf-8')
-    r = app.put('/adsf', data=b"123", headers={'Authorization': 'Basic ' + creds})
-    r = app.put('/adsf', data=b"234", headers={'Authorization': 'Basic ' + creds})
+    r = app.put('/' + get_key(b'123'), data=b"123", headers={'Authorization': 'Basic ' + creds})
+    r = app.put('/' + get_key(b'123'), data=b"234", headers={'Authorization': 'Basic ' + creds})
     assert r.status_code == 409