Skip to content

Commit

Permalink
Reject non json formats
Browse files Browse the repository at this point in the history
  • Loading branch information
philippthun committed Mar 21, 2023
1 parent bf62b72 commit ca2d63d
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 3 deletions.
19 changes: 19 additions & 0 deletions app/controllers/v3/application_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ class ApplicationController < ActionController::Base
before_action :check_write_permissions!, if: :enforce_write_scope?
before_action :hashify_params
before_action :null_coalesce_body
before_action :validate_content_type!

rescue_from CloudController::Blobstore::BlobstoreError, with: :handle_blobstore_error
rescue_from CloudController::Errors::NotAuthenticated, with: :handle_not_authenticated
Expand Down Expand Up @@ -223,6 +224,24 @@ def null_coalesce_body
hashed_params[:body] ||= {}
end

def validate_content_type!
unless request_content_type_is_json?
logger.error("Content-type isn't json: #{request.content_type}")
bad_request!('Content-Type must be json')
end
unless requested_format_is_json_or_none?
bad_request!('Requested format must be json or none')
end
end

def request_content_type_is_json?
Mime::Type.lookup(request.content_type) == :json
end

def requested_format_is_json_or_none?
!hashed_params.include?(:format) || hashed_params[:format] == 'json'
end

def membership
@membership ||= Membership.new(current_user)
end
Expand Down
11 changes: 8 additions & 3 deletions app/controllers/v3/space_manifests_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,6 @@
class SpaceManifestsController < ApplicationController
wrap_parameters :body, format: [:yaml]

before_action :validate_content_type!

def apply_manifest
space = Space.find(guid: hashed_params[:guid])
space_not_found! unless space && permission_queryer.can_read_from_space?(space.id, space.organization_id)
Expand Down Expand Up @@ -86,16 +84,23 @@ def compound_error!(error_messages)
end

def validate_content_type!
if !request_content_type_is_yaml?
unless request_content_type_is_yaml?
logger.error("Content-type isn't yaml: #{request.content_type}")
bad_request!('Content-Type must be yaml')
end
unless requested_format_is_yaml_or_none?
bad_request!('Requested format must be yaml or none')
end
end

def request_content_type_is_yaml?
Mime::Type.lookup(request.content_type) == :yaml
end

def requested_format_is_yaml_or_none?
!hashed_params.include?(:format) || %w[yaml yml].include?(hashed_params[:format])
end

def check_version_is_supported!
version = parsed_yaml['version']
raise unprocessable!('Unsupported manifest schema version. Currently supported versions: [1].') unless !version || version == 1
Expand Down

0 comments on commit ca2d63d

Please sign in to comment.