From 019cac8a7c71baeacd85bb859014390eba71b6cc Mon Sep 17 00:00:00 2001
From: "Brian C. Lane" <bcl@redhat.com>
Date: Thu, 28 May 2020 14:23:57 -0700
Subject: [PATCH] lorax-composer: Check compose/status for invalid characters

---
 src/pylorax/api/v0.py        | 5 +++++
 tests/pylorax/test_server.py | 9 +++++++++
 2 files changed, 14 insertions(+)

diff --git a/src/pylorax/api/v0.py b/src/pylorax/api/v0.py
index c977d517..813eb2e4 100644
--- a/src/pylorax/api/v0.py
+++ b/src/pylorax/api/v0.py
@@ -1649,6 +1649,11 @@ def v0_compose_status(uuids):
     status = request.args.get("status", None)
     compose_type = request.args.get("type", None)
 
+    # Check the arguments for invalid characters
+    for a in [blueprint, status, compose_type]:
+        if a is not None and VALID_API_STRING.match(a) is None:
+            return jsonify(status=False, errors=[{"id": INVALID_CHARS, "msg": "Invalid characters in API path"}]), 400
+
     results = []
     errors = []
 
diff --git a/tests/pylorax/test_server.py b/tests/pylorax/test_server.py
index 2a86acc7..ecc7ebc9 100644
--- a/tests/pylorax/test_server.py
+++ b/tests/pylorax/test_server.py
@@ -1638,6 +1638,15 @@ class ServerAPIV0TestCase(unittest.TestCase):
         resp = self.server.get("/api/v0/compose/status/" + UTF8_TEST_STRING)
         self.assertInputError(resp)
 
+        resp = self.server.get("/api/v0/compose/status/*?blueprint=" + UTF8_TEST_STRING)
+        self.assertInputError(resp)
+
+        resp = self.server.get("/api/v0/compose/status/*?status=" + UTF8_TEST_STRING)
+        self.assertInputError(resp)
+
+        resp = self.server.get("/api/v0/compose/status/*?type=" + UTF8_TEST_STRING)
+        self.assertInputError(resp)
+
     def test_compose_cancel_input(self):
         """Test the compose/cancel input character checking"""
         resp = self.server.delete("/api/v0/compose/cancel/" + UTF8_TEST_STRING)