swarm/api: Fix #18007, missing signature should return HTTP 400 (#18008)

This commit is contained in:
Javier Peletier 2018-11-07 14:49:42 +01:00 committed by Anton Evangelatov
parent b35165555d
commit 36ca85fa1c
2 changed files with 38 additions and 6 deletions

View File

@ -484,7 +484,8 @@ func (s *Server) HandlePostFeed(w http.ResponseWriter, r *http.Request) {
return return
} }
if updateRequest.IsUpdate() { switch {
case updateRequest.IsUpdate():
// Verify that the signature is intact and that the signer is authorized // Verify that the signature is intact and that the signer is authorized
// to update this feed // to update this feed
// Check this early, to avoid creating a feed and then not being able to set its first update. // Check this early, to avoid creating a feed and then not being able to set its first update.
@ -497,9 +498,8 @@ func (s *Server) HandlePostFeed(w http.ResponseWriter, r *http.Request) {
respondError(w, r, err.Error(), http.StatusInternalServerError) respondError(w, r, err.Error(), http.StatusInternalServerError)
return return
} }
} fallthrough
case query.Get("manifest") == "1":
if query.Get("manifest") == "1" {
// we create a manifest so we can retrieve feed updates with bzz:// later // we create a manifest so we can retrieve feed updates with bzz:// later
// this manifest has a special "feed type" manifest, and saves the // this manifest has a special "feed type" manifest, and saves the
// feed identification used to retrieve feed updates later // feed identification used to retrieve feed updates later
@ -519,6 +519,8 @@ func (s *Server) HandlePostFeed(w http.ResponseWriter, r *http.Request) {
fmt.Fprint(w, string(outdata)) fmt.Fprint(w, string(outdata))
w.Header().Add("Content-type", "application/json") w.Header().Add("Content-type", "application/json")
default:
respondError(w, r, "Missing signature in feed update request", http.StatusBadRequest)
} }
} }

View File

@ -333,15 +333,45 @@ func TestBzzFeed(t *testing.T) {
} }
urlQuery = testUrl.Query() urlQuery = testUrl.Query()
body = updateRequest.AppendValues(urlQuery) // this adds all query parameters body = updateRequest.AppendValues(urlQuery) // this adds all query parameters
goodQueryParameters := urlQuery.Encode() // save the query parameters for a second attempt
// create bad query parameters in which the signature is missing
urlQuery.Del("signature")
testUrl.RawQuery = urlQuery.Encode() testUrl.RawQuery = urlQuery.Encode()
// 1st attempt with bad query parameters in which the signature is missing
resp, err = http.Post(testUrl.String(), "application/octet-stream", bytes.NewReader(body)) resp, err = http.Post(testUrl.String(), "application/octet-stream", bytes.NewReader(body))
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
defer resp.Body.Close() defer resp.Body.Close()
if resp.StatusCode != http.StatusOK { expectedCode := http.StatusBadRequest
t.Fatalf("Update returned %s", resp.Status) if resp.StatusCode != expectedCode {
t.Fatalf("Update returned %s. Expected %d", resp.Status, expectedCode)
}
// 2nd attempt with bad query parameters in which the signature is of incorrect length
urlQuery.Set("signature", "0xabcd") // should be 130 hex chars
resp, err = http.Post(testUrl.String(), "application/octet-stream", bytes.NewReader(body))
if err != nil {
t.Fatal(err)
}
defer resp.Body.Close()
expectedCode = http.StatusBadRequest
if resp.StatusCode != expectedCode {
t.Fatalf("Update returned %s. Expected %d", resp.Status, expectedCode)
}
// 3rd attempt, with good query parameters:
testUrl.RawQuery = goodQueryParameters
resp, err = http.Post(testUrl.String(), "application/octet-stream", bytes.NewReader(body))
if err != nil {
t.Fatal(err)
}
defer resp.Body.Close()
expectedCode = http.StatusOK
if resp.StatusCode != expectedCode {
t.Fatalf("Update returned %s. Expected %d", resp.Status, expectedCode)
} }
// get latest update through bzz-feed directly // get latest update through bzz-feed directly