nielsperetzke
/
healthchecks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 32 Wiki Activity
Browse Source

Validate channel identifiers as UUIDs

pull/211/head
Pēteris Caune 6 years ago
parent
d064112c16
commit
66bc5cd7c2
No known key found for this signature in database GPG Key ID: E28D7679E9A9EDE2
2 changed files with 17 additions and 0 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +11
    -0
      hc/api/tests/test_update_check.py
  2. +6
    -0
      hc/api/views.py

+ 11
- 0
hc/api/tests/test_update_check.py View File

@ -152,6 +152,17 @@ class UpdateCheckTestCase(BaseTestCase):
self.check.refresh_from_db() self.check.refresh_from_db()
self.assertEqual(self.check.channel_set.count(), 0) self.assertEqual(self.check.channel_set.count(), 0)
def test_it_rejects_non_uuid_channel_code(self):
r = self.post(self.check.code, {
"api_key": "X" * 32,
"channels": "foo"
})
self.assertEqual(r.status_code, 400)
self.check.refresh_from_db()
self.assertEqual(self.check.channel_set.count(), 0)
def test_it_rejects_non_string_channels_key(self): def test_it_rejects_non_string_channels_key(self):
r = self.post(self.check.code, { r = self.post(self.check.code, {
"api_key": "X" * 32, "api_key": "X" * 32,


+ 6
- 0
hc/api/views.py View File

@ -1,4 +1,5 @@
from datetime import timedelta as td from datetime import timedelta as td
import uuid
from django.conf import settings from django.conf import settings
from django.core.exceptions import SuspiciousOperation from django.core.exceptions import SuspiciousOperation
@ -87,6 +88,11 @@ def _update(check, spec):
else: else:
channels = [] channels = []
for chunk in spec["channels"].split(","): for chunk in spec["channels"].split(","):
try:
chunk = uuid.UUID(chunk)
except ValueError:
raise SuspiciousOperation("Invalid channel identifier")
try: try:
channel = Channel.objects.get(code=chunk) channel = Channel.objects.get(code=chunk)
channels.append(channel) channels.append(channel)


Write Preview
Loading…
Cancel
Save