swarm/api: Fix #18007, missing signature should return HTTP 400 (#18008)

This commit is contained in:
Javier Peletier 2018-11-07 14:49:42 +01:00 committed by Anton Evangelatov
parent b35165555d
commit 36ca85fa1c
2 changed files with 38 additions and 6 deletions

View File

@ -484,7 +484,8 @@ func (s *Server) HandlePostFeed(w http.ResponseWriter, r *http.Request) {
return
}
if updateRequest.IsUpdate() {
switch {
case updateRequest.IsUpdate():
// Verify that the signature is intact and that the signer is authorized
// to update this feed
// Check this early, to avoid creating a feed and then not being able to set its first update.
@ -497,9 +498,8 @@ func (s *Server) HandlePostFeed(w http.ResponseWriter, r *http.Request) {
respondError(w, r, err.Error(), http.StatusInternalServerError)
return
}
}
if query.Get("manifest") == "1" {
fallthrough
case query.Get("manifest") == "1":
// we create a manifest so we can retrieve feed updates with bzz:// later
// this manifest has a special "feed type" manifest, and saves the
// feed identification used to retrieve feed updates later
@ -519,6 +519,8 @@ func (s *Server) HandlePostFeed(w http.ResponseWriter, r *http.Request) {
fmt.Fprint(w, string(outdata))
w.Header().Add("Content-type", "application/json")
default:
respondError(w, r, "Missing signature in feed update request", http.StatusBadRequest)
}
}

View File

@ -333,15 +333,45 @@ func TestBzzFeed(t *testing.T) {
}
urlQuery = testUrl.Query()
body = updateRequest.AppendValues(urlQuery) // this adds all query parameters
goodQueryParameters := urlQuery.Encode() // save the query parameters for a second attempt
// create bad query parameters in which the signature is missing
urlQuery.Del("signature")
testUrl.RawQuery = urlQuery.Encode()
// 1st attempt with bad query parameters in which the signature is missing
resp, err = http.Post(testUrl.String(), "application/octet-stream", bytes.NewReader(body))
if err != nil {
t.Fatal(err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
t.Fatalf("Update returned %s", resp.Status)
expectedCode := http.StatusBadRequest
if resp.StatusCode != expectedCode {
t.Fatalf("Update returned %s. Expected %d", resp.Status, expectedCode)
}
// 2nd attempt with bad query parameters in which the signature is of incorrect length
urlQuery.Set("signature", "0xabcd") // should be 130 hex chars
resp, err = http.Post(testUrl.String(), "application/octet-stream", bytes.NewReader(body))
if err != nil {
t.Fatal(err)
}
defer resp.Body.Close()
expectedCode = http.StatusBadRequest
if resp.StatusCode != expectedCode {
t.Fatalf("Update returned %s. Expected %d", resp.Status, expectedCode)
}
// 3rd attempt, with good query parameters:
testUrl.RawQuery = goodQueryParameters
resp, err = http.Post(testUrl.String(), "application/octet-stream", bytes.NewReader(body))
if err != nil {
t.Fatal(err)
}
defer resp.Body.Close()
expectedCode = http.StatusOK
if resp.StatusCode != expectedCode {
t.Fatalf("Update returned %s. Expected %d", resp.Status, expectedCode)
}
// get latest update through bzz-feed directly