Validate channel identifiers as UUIDs

2018-11-10 11:42:31 +02:00 · 2018-11-10 11:42:31 +02:00 · 66bc5cd7c2
commit 66bc5cd7c2
parent d064112c16
2 changed files with 17 additions and 0 deletions
--- a/hc/api/tests/test_update_check.py
+++ b/hc/api/tests/test_update_check.py
@ -152,6 +152,17 @@ class UpdateCheckTestCase(BaseTestCase):
        self.check.refresh_from_db()
        self.assertEqual(self.check.channel_set.count(), 0)

+    def test_it_rejects_non_uuid_channel_code(self):
+        r = self.post(self.check.code, {
+            "api_key": "X" * 32,
+            "channels": "foo"
+        })
+
+        self.assertEqual(r.status_code, 400)
+
+        self.check.refresh_from_db()
+        self.assertEqual(self.check.channel_set.count(), 0)
+
    def test_it_rejects_non_string_channels_key(self):
        r = self.post(self.check.code, {
            "api_key": "X" * 32,
--- a/hc/api/views.py
+++ b/hc/api/views.py
@ -1,4 +1,5 @@
 from datetime import timedelta as td
+import uuid

 from django.conf import settings
 from django.core.exceptions import SuspiciousOperation
@ -87,6 +88,11 @@ def _update(check, spec):
        else:
            channels = []
            for chunk in spec["channels"].split(","):
+                try:
+                    chunk = uuid.UUID(chunk)
+                except ValueError:
+                    raise SuspiciousOperation("Invalid channel identifier")
+
                try:
                    channel = Channel.objects.get(code=chunk)
                    channels.append(channel)