harmacist/healthchecks
1
0
Fork 0
forked from GithubBackups/healthchecks
Code Issues Pull Requests Projects Releases Wiki Activity

Validate channel identifiers as UUIDs

Browse Source
This commit is contained in:
Pēteris Caune 2018-11-10 11:42:31 +02:00
parent d064112c16
commit 66bc5cd7c2
No known key found for this signature in database
GPG Key ID: E28D7679E9A9EDE2
2 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
hc/api/tests/test_update_check.py
View File

@ -152,6 +152,17 @@ class UpdateCheckTestCase(BaseTestCase):
self.check.refresh_from_db() self.check.refresh_from_db()
self.assertEqual(self.check.channel_set.count(), 0) self.assertEqual(self.check.channel_set.count(), 0)
def test_it_rejects_non_uuid_channel_code(self):
r = self.post(self.check.code, {
"api_key": "X" * 32,
"channels": "foo"
})
self.assertEqual(r.status_code, 400)
self.check.refresh_from_db()
self.assertEqual(self.check.channel_set.count(), 0)
def test_it_rejects_non_string_channels_key(self): def test_it_rejects_non_string_channels_key(self):
r = self.post(self.check.code, { r = self.post(self.check.code, {
"api_key": "X" * 32, "api_key": "X" * 32,

6
hc/api/views.py
View File

@ -1,4 +1,5 @@
from datetime import timedelta as td from datetime import timedelta as td
import uuid
from django.conf import settings from django.conf import settings
from django.core.exceptions import SuspiciousOperation from django.core.exceptions import SuspiciousOperation
@ -87,6 +88,11 @@ def _update(check, spec):
else: else:
channels = [] channels = []
for chunk in spec["channels"].split(","): for chunk in spec["channels"].split(","):
try:
chunk = uuid.UUID(chunk)
except ValueError:
raise SuspiciousOperation("Invalid channel identifier")
try: try:
channel = Channel.objects.get(code=chunk) channel = Channel.objects.get(code=chunk)
channels.append(channel) channels.append(channel)