From 55d6471156db6a3ffe974e61934fac8b3d241e78 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C4=93teris=20Caune?= <cuu508@gmail.com>
Date: Thu, 15 Feb 2018 13:16:13 +0200
Subject: [PATCH] Validate HTTP header names in the "Add Webhook" form.

---
 hc/front/forms.py                       | 25 ++++++++++---
 hc/front/tests/test_add_webhook.py      | 19 +++++++++-
 static/css/add_webhook.css              |  4 ++
 templates/base.html                     |  1 +
 templates/integrations/add_webhook.html | 50 +++++++++++++------------
 5 files changed, 69 insertions(+), 30 deletions(-)
 create mode 100644 static/css/add_webhook.css

diff --git a/hc/front/forms.py b/hc/front/forms.py
index 554ec5ee..ad9ba9d0 100644
--- a/hc/front/forms.py
+++ b/hc/front/forms.py
@@ -1,5 +1,6 @@
-import json
 from datetime import timedelta as td
+import json
+import re
 
 from django import forms
 from django.core.validators import RegexValidator
@@ -55,28 +56,42 @@ class AddUrlForm(forms.Form):
     value = forms.URLField(max_length=1000, validators=[WebhookValidator()])
 
 
+_valid_header_name = re.compile(r'\A[^:\s][^:\r\n]*\Z').match
+
+
 class AddWebhookForm(forms.Form):
     error_css_class = "has-error"
 
     url_down = forms.URLField(max_length=1000, required=False,
-                                validators=[WebhookValidator()])
+                              validators=[WebhookValidator()])
 
     url_up = forms.URLField(max_length=1000, required=False,
-                              validators=[WebhookValidator()])
+                            validators=[WebhookValidator()])
 
     post_data = forms.CharField(max_length=1000, required=False)
 
     def __init__(self, *args, **kwargs):
         super(AddWebhookForm, self).__init__(*args, **kwargs)
 
+        self.invalid_header_names = set()
         self.headers = {}
         if "header_key[]" in self.data and "header_value[]" in self.data:
             keys = self.data.getlist("header_key[]")
             values = self.data.getlist("header_value[]")
             for key, value in zip(keys, values):
-                if key:
-                    self.headers[key] = value
+                if not key:
+                    continue
+
+                if not _valid_header_name(key):
+                    self.invalid_header_names.add(key)
+
+                self.headers[key] = value
+
+    def clean(self):
+        if self.invalid_header_names:
+            raise forms.ValidationError("Invalid header names")
 
+        return self.cleaned_data
 
     def get_value(self):
         val = dict(self.cleaned_data)
diff --git a/hc/front/tests/test_add_webhook.py b/hc/front/tests/test_add_webhook.py
index 744f5686..763cf642 100644
--- a/hc/front/tests/test_add_webhook.py
+++ b/hc/front/tests/test_add_webhook.py
@@ -72,12 +72,27 @@ class AddWebhookTestCase(BaseTestCase):
         self.assertEqual(c.value, '{"headers": {}, "post_data": "hello", "url_down": "http://foo.com", "url_up": ""}')
 
     def test_it_adds_headers(self):
-        form = {"url_down": "http://foo.com", "header_key[]": ["test", "test2"], "header_value[]": ["123", "abc"]}
+        form = {
+            "url_down": "http://foo.com",
+            "header_key[]": ["test", "test2"],
+            "header_value[]": ["123", "abc"]
+        }
 
         self.client.login(username="alice@example.org", password="password")
         r = self.client.post(self.url, form)
         self.assertRedirects(r, "/integrations/")
 
         c = Channel.objects.get()
-        self.assertEqual(c.value, '{"headers": {"test": "123", "test2": "abc"}, "post_data": "", "url_down": "http://foo.com", "url_up": ""}')
+        self.assertEqual(c.headers, {"test": "123", "test2": "abc"})
 
+    def test_it_rejects_bad_header_names(self):
+        self.client.login(username="alice@example.org", password="password")
+        form = {
+            "url_down": "http://example.org",
+            "header_key[]": ["ill:egal"],
+            "header_value[]": ["123"]
+        }
+
+        r = self.client.post(self.url, form)
+        self.assertContains(r, "Please use valid HTTP header names.")
+        self.assertEqual(Channel.objects.count(), 0)
diff --git a/static/css/add_webhook.css b/static/css/add_webhook.css
new file mode 100644
index 00000000..16b00681
--- /dev/null
+++ b/static/css/add_webhook.css
@@ -0,0 +1,4 @@
+.webhook-header .error {
+    border-color: #a94442;
+}
+
diff --git a/templates/base.html b/templates/base.html
index f6b2bec9..4d9cf4e9 100644
--- a/templates/base.html
+++ b/templates/base.html
@@ -34,6 +34,7 @@
     <link rel="stylesheet" href="{% static 'css/channel_checks.css' %}" type="text/css">
     <link rel="stylesheet" href="{% static 'css/log.css' %}" type="text/css">
     <link rel="stylesheet" href="{% static 'css/add_pushover.css' %}" type="text/css">
+    <link rel="stylesheet" href="{% static 'css/add_webhook.css' %}" type="text/css">
     <link rel="stylesheet" href="{% static 'css/settings.css' %}" type="text/css">
     <link rel="stylesheet" href="{% static 'css/last_ping.css' %}" type="text/css">
     <link rel="stylesheet" href="{% static 'css/profile.css' %}" type="text/css">
diff --git a/templates/integrations/add_webhook.html b/templates/integrations/add_webhook.html
index 6e952ad8..e4bcb12b 100644
--- a/templates/integrations/add_webhook.html
+++ b/templates/integrations/add_webhook.html
@@ -105,32 +105,36 @@
                 {% endif %}
             </div>
         </div>
-        <div class="form-group {{ form.headers.css_classes }}">
+        <div class="form-group">
             <label class="col-sm-2 control-label">Request Headers</label>
-            <div id="webhook-headers" class="col-xs-12 col-sm-10">
-                {% for k, v in form.headers.items %}
-                <div class="form-inline webhook-header">
-                    <input
-                        type="text"
-                        class="form-control key"
-                        name="header_key[]"
-                        placeholder="Content-Type"
-                        value="{{ k }}" />
-                    <input
-                        type="text"
-                        class="form-control value"
-                        name="header_value[]"
-                        placeholder="application/json"
-                        value="{{ v }}" />
-                        <button class="btn btn-default" type="button">
-                            <span class="icon-delete"></span>
-                        </button>
+            <div class="col-xs-12 col-sm-10">
+                <div id="webhook-headers">
+                    {% for k, v in form.headers.items %}
+                    <div class="form-inline webhook-header">
+                        <input
+                            type="text"
+                            class="form-control key {% if k in form.invalid_header_names %}error{% endif %}"
+                            name="header_key[]"
+                            placeholder="Content-Type"
+                            value="{{ k }}" />
+                        <input
+                            type="text"
+                            class="form-control value"
+                            name="header_value[]"
+                            placeholder="application/json"
+                            value="{{ v }}" />
+                            <button class="btn btn-default" type="button">
+                                <span class="icon-delete"></span>
+                            </button>
+                    </div>
+                    {% endfor %}
                 </div>
-                {% endfor %}
-            </div>
-            <div class="text-center">
+                {% if form.invalid_header_names %}
+                <div class="text-danger">
+                    Please use valid HTTP header names.
+                </div>
+                {% endif %}
             </div>
-
         </div>
         <div class="form-group">
             <div class="col-sm-offset-2 col-sm-10">