imports api: disallow non-array resources

There was a bug where we allowed non-array values within the top level "resources" key of the Import API payload. This caused an exception to be thrown later in the request lifecycle. This bug fix ensures any non-array values fail at the controller layer and return the appropriate error code (ie, 400 Bad Request).
simpledotorg · Feb 26, 2024 · 98c9a3c · 98c9a3c
1 parent 52aead5
commit 98c9a3c
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 5 deletions.
diff --git a/app/controllers/api/v4/imports_controller.rb b/app/controllers/api/v4/imports_controller.rb
@@ -2,11 +2,7 @@ class Api::V4::ImportsController < ApplicationController
   skip_before_action :verify_authenticity_token
   before_action :doorkeeper_authorize!
   before_action :validate_token_organization
-
-  rescue_from ActionController::ParameterMissing do |error|
-    log_failure(error)
-    render json: {error: "Unable to find key in payload: \"#{error.param}\""}, status: :bad_request
-  end
+  before_action :validate_resources_key, only: %i[import]
 
   def import
     return head :not_found unless Flipper.enabled?(:imports_api)
@@ -143,6 +139,21 @@ def validate_token_organization
     end
   end
 
+  def validate_resources_key
+    resources = params[:resources]
+    unless resources.present?
+      error_msg = 'Unable to find key in payload: "resources"'
+      log_failure(error_msg)
+      return render json: {error: error_msg}, status: :bad_request
+    end
+
+    unless resources.is_a?(Array)
+      error_msg = '"resources" must be an array'
+      log_failure(error_msg)
+      render json: {error: error_msg}, status: :bad_request
+    end
+  end
+
   def organization_id
     request.headers["HTTP_X_ORGANIZATION_ID"]
   end

diff --git a/spec/requests/api/imports/imports_request_spec.rb b/spec/requests/api/imports/imports_request_spec.rb
@@ -112,4 +112,38 @@
     )
     expect(response.status).to eq(400)
   end
+
+  it "fails to import payload with no resource key" do
+    allow(Rails.logger).to receive(:info)
+
+    put route,
+      params: [build_condition_import_resource.merge(subject: {identifier: patient_identifier.identifier})].to_json,
+      headers: headers
+
+    expect(Rails.logger).to have_received(:info).with(
+      hash_including(
+        msg: "import_api_error",
+        controller: "Api::V4::ImportsController",
+        action: "import",
+        organization_id: organization.id
+      )
+    )
+    expect(response.status).to eq(400)
+  end
+
+  it "fails to import payload with non-array resources" do
+    allow(Rails.logger).to receive(:info)
+
+    put route, params: {resources: {invalid: :type}}.to_json, headers: headers
+
+    expect(Rails.logger).to have_received(:info).with(
+      hash_including(
+        msg: "import_api_error",
+        controller: "Api::V4::ImportsController",
+        action: "import",
+        organization_id: organization.id
+      )
+    )
+    expect(response.status).to eq(400)
+  end
 end