Harden scheme request body parsing
This commit is contained in:
Snider
parent
683fe8f85e
commit
46fd29c714
2 changed files with 46 additions and 0 deletions
|
|
@ -2,6 +2,7 @@ package display
|
|||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"html"
|
||||
"net/url"
|
||||
"sort"
|
||||
|
|
@ -16,6 +17,8 @@ import (
|
|||
|
||||
type SchemeHandler func(context.Context, string, url.Values) core.Result
|
||||
|
||||
const maxSchemeRequestBodyBytes = 1 << 20
|
||||
|
||||
type assetMiddlewareHandler struct {
|
||||
next application.Handler
|
||||
service *Service
|
||||
|
|
@ -365,6 +368,16 @@ func (s *Service) ResolveSchemeRequest(ctx context.Context, rawURL, method strin
|
|||
if strings.TrimSpace(rawURL) == "" {
|
||||
return core.Result{Value: coreerr.E("display.ResolveScheme", "scheme URL is required", nil), OK: false}
|
||||
}
|
||||
if len(body) > maxSchemeRequestBodyBytes {
|
||||
return core.Result{
|
||||
Value: coreerr.E(
|
||||
"display.ResolveScheme",
|
||||
fmt.Sprintf("request body exceeds %d bytes", maxSchemeRequestBodyBytes),
|
||||
nil,
|
||||
),
|
||||
OK: false,
|
||||
}
|
||||
}
|
||||
parsed, err := url.Parse(rawURL)
|
||||
if err != nil {
|
||||
return core.Result{Value: err, OK: false}
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ package display
|
|||
import (
|
||||
"context"
|
||||
"net/url"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
core "dappco.re/go/core"
|
||||
|
|
@ -155,6 +156,38 @@ func TestScheme_ResolveScheme_Bad(t *testing.T) {
|
|||
require.False(t, noHandlerResult.OK)
|
||||
}
|
||||
|
||||
func TestScheme_ResolveSchemeRequest_BodyQuery_Good(t *testing.T) {
|
||||
svc, _ := newTestDisplayService(t)
|
||||
svc.registerDefaultSchemes()
|
||||
|
||||
result := svc.ResolveSchemeRequest(
|
||||
context.Background(),
|
||||
"core://store",
|
||||
"POST",
|
||||
map[string][]string{"Content-Type": {"application/x-www-form-urlencoded"}},
|
||||
[]byte("q=theme"),
|
||||
)
|
||||
require.True(t, result.OK)
|
||||
payload := result.Value.(map[string]any)
|
||||
assert.Equal(t, "store", payload["route"])
|
||||
assert.Contains(t, payload["body"].(string), "Search the in-memory storage scopes")
|
||||
}
|
||||
|
||||
func TestScheme_ResolveSchemeRequest_BodyQuery_Bad(t *testing.T) {
|
||||
svc, _ := newTestDisplayService(t)
|
||||
svc.registerDefaultSchemes()
|
||||
|
||||
result := svc.ResolveSchemeRequest(
|
||||
context.Background(),
|
||||
"core://store",
|
||||
"POST",
|
||||
nil,
|
||||
[]byte(strings.Repeat("a", maxSchemeRequestBodyBytes+1)),
|
||||
)
|
||||
require.False(t, result.OK)
|
||||
assert.Contains(t, result.Value.(error).Error(), "request body exceeds")
|
||||
}
|
||||
|
||||
func TestScheme_ResolveScheme_Ugly(t *testing.T) {
|
||||
svc, _ := newTestDisplayService(t)
|
||||
svc.registerDefaultSchemes()
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue