validate bulk body is parsable

2025-02-23 08:39:57 -05:00 · 2021-08-23 20:56:49 +02:00 · 2021-08-23 20:56:49 +02:00 · a60a0c845f
commit a60a0c845f
parent 0219faa020
2 changed files with 26 additions and 4 deletions
--- a/matweb/rest_api.py
+++ b/matweb/rest_api.py
@ -7,7 +7,7 @@ from uuid import uuid4

 from flask import after_this_request, send_from_directory, Blueprint, current_app
 from flask_restful import Resource, reqparse, abort, request, url_for, Api
-from cerberus import Validator
+from cerberus import Validator, DocumentError
 from werkzeug.datastructures import FileStorage
 from flasgger import swag_from

@ -157,9 +157,13 @@ class APIBulkDownloadCreator(Resource):
        if not data:
            abort(400, message="Post Body Required")
            current_app.logger.error('BulkDownload -  Missing Post Body')
-        if not self.v.validate(data):
-            current_app.logger.error('BulkDownload -  Missing Post Body: %s', str(self.v.errors))
-            abort(400, message=self.v.errors)
+        try:
+            if not self.v.validate(data):
+                current_app.logger.error('BulkDownload -  Missing Post Body: %s', str(self.v.errors))
+                abort(400, message=self.v.errors)
+        except DocumentError as e:
+            abort(400, message="Invalid Post Body")
+            current_app.logger.error('BulkDownload -  Invalid Post Body: %s', str(e))
        # prevent the zip file from being overwritten
        zip_filename = 'files.' + str(uuid4()) + '.zip'
        zip_path = os.path.join(current_app.config['UPLOAD_FOLDER'], zip_filename)
--- a/test/test_api.py
+++ b/test/test_api.py
@ -413,6 +413,24 @@ class Mat2APITestCase(unittest.TestCase):
        request = app.get(download_link)
        self.assertEqual(code, request.status_code)

+    def test_download_naughty_input(self):
+        request = self.app.get(
+            '/api/download/%F2%8C%BF%BD%F1%AE%98%A3%E4%B7%B8%F2%9B%94%BE%F2%A7%8B%83%F1%B1%80%9F%F3%AA%89%A6/1p/str'
+        )
+        error_message = request.get_json()['message']
+        self.assertEqual(404, request.status_code)
+        self.assertEqual("File not found", error_message)
+
+    def test_download_bulk_naughty_input(self):
+        request = self.app.post(
+            '/api/download/bulk',
+            data='\"\'\'\'&type %SYSTEMROOT%\\\\win.ini\"',
+            headers={'content-type': 'application/json'}
+        )
+        error_message = request.get_json()['message']
+        self.assertEqual(400, request.status_code)
+        self.assertEqual("Invalid Post Body", error_message)
+
    def test_upload_naughty_input(self):
        request = self.app.post('/api/upload',
                           data='{"file_name": "\\\\", '