Commit 113c2799 authored by Caleb Bron's avatar Caleb Bron Committed by Craig Jellick
Browse files

dont limit protocol

parent 749f6da0
Showing with 8 additions and 70 deletions
+8 -70
package catalog
import (
"fmt"
"net/http"
"net/url"
"regexp"
"strings"
"github.com/pkg/errors"
"github.com/rancher/norman/httperror"
"github.com/rancher/norman/types"
)
......@@ -20,11 +16,7 @@ var (
func Validator(request *types.APIContext, schema *types.Schema, data map[string]interface{}) error {
url, ok := data["url"].(string)
if ok && len(url) > 0 {
sanitizedURL, err := validateURL(url)
if err != nil {
return httperror.NewAPIError(httperror.InvalidBodyContent, fmt.Sprintf("%v", err))
}
data["url"] = sanitizedURL
data["url"] = sanitizeURL(url)
return nil
} else if request.Method == http.MethodPost {
return httperror.NewAPIError(httperror.MissingRequired, "Catalog URL not specified")
......@@ -32,18 +24,10 @@ func Validator(request *types.APIContext, schema *types.Schema, data map[string]
return nil
}
func validateURL(pathURL string) (string, error) {
func sanitizeURL(pathURL string) string {
// Remove inline control character
pathURL = controlChars.ReplaceAllString(pathURL, "")
// Remove control characters that have been urlencoded such as %0d, %1B
pathURL = controlEncoded.ReplaceAllString(pathURL, "")
// Validate scheme
parsedURL, err := url.Parse(pathURL)
if err != nil {
return "", err
}
if !strings.HasPrefix(parsedURL.Scheme, "http") {
return "", errors.Errorf("unsupported protocol scheme '%s'", parsedURL.Scheme)
}
return parsedURL.String(), nil
return pathURL
}
......@@ -14,42 +14,32 @@ func TestValidateURL(t *testing.T) {
name string
pathURL string
want string
wantErr bool
}{
{
name: "Remove control characters",
pathURL: "http://example.com/1\r2\n345\b67\t",
want: "http://example.com/1234567",
wantErr: false,
},
{
name: "Remove urlEncoded control characters",
pathURL: "https://example.com/12%003%1F45%0A%0a6",
want: "https://example.com/123456",
wantErr: false,
},
{
name: "Remove all control characters, allow uppercase scheme",
pathURL: "HTTPS://www.example%0D.com/Hello\r\nWorld",
pathURL: "https://www.example%0D.com/Hello\r\nWorld",
want: "https://www.example.com/HelloWorld",
wantErr: false,
},
{
name: "Error on wrong protocol",
name: "Allow git protocol",
pathURL: "git://www.example.com",
want: "",
wantErr: true,
want: "git://www.example.com",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := validateURL(tt.pathURL)
if tt.wantErr {
assert.NotNil(t, err)
} else {
assert.Equal(t, got, tt.want)
}
got := sanitizeURL(tt.pathURL)
assert.Equal(t, got, tt.want)
})
}
}
import pytest
from rancher import ApiError
from .common import wait_for_template_to_be_created, \
wait_for_template_to_be_deleted, random_str
......@@ -25,40 +23,6 @@ def test_catalog(admin_mc):
wait_for_template_to_be_deleted(client, name2)
def test_invalid_catalog(admin_mc, remove_resource):
client = admin_mc.client
name = random_str()
bad_url = "git://github.com/StrongMonkey/charts-1.git"
# POST: Bad URL
with pytest.raises(ApiError) as e:
catalog = client.create_catalog(name=name,
branch="test",
url=bad_url,
)
remove_resource(catalog)
assert e.value.error.status == 422
# POST: No URL
with pytest.raises(ApiError) as e:
catalog = client.create_catalog(name=name,
branch="test",
url="",
)
remove_resource(catalog)
assert e.value.error.status == 422
# PUT: Bad URL
good_url = "https://github.com/StrongMonkey/charts-1.git"
catalog = client.create_catalog(name=name,
branch="test",
url=good_url,
)
remove_resource(catalog)
wait_for_template_to_be_created(client, name)
with pytest.raises(ApiError) as e:
catalog.url = bad_url
client.update_by_id_catalog(catalog.id, catalog)
assert e.value.error.status == 422
def test_invalid_catalog_chars(admin_mc, remove_resource):
client = admin_mc.client
name = random_str()
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment