lorax-composer: Check for valid characters in the undo commit

Return an error 400 with INVALID_CHARS if the commit characters are not in the allowed list.
2020-05-28 09:39:23 -07:00 · 2020-05-28 09:39:23 -07:00 · 74f8cd4f34
commit 74f8cd4f34
parent 564f78e629
2 changed files with 6 additions and 0 deletions
--- a/src/pylorax/api/v0.py
+++ b/src/pylorax/api/v0.py
@ -507,6 +507,9 @@ def v0_blueprints_undo(blueprint_name, commit):
    if VALID_BLUEPRINT_NAME.match(blueprint_name) is None:
        return jsonify(status=False, errors=[{"id": INVALID_CHARS, "msg": "Invalid characters in API path"}]), 400

+    if VALID_BLUEPRINT_NAME.match(commit) is None:
+        return jsonify(status=False, errors=[{"id": INVALID_CHARS, "msg": "Invalid characters in API path"}]), 400
+
    branch = request.args.get("branch", "master")
    if VALID_API_STRING.match(branch) is None:
        return jsonify(status=False, errors=[{"id": INVALID_CHARS, "msg": "Invalid characters in branch argument"}]), 400
--- a/tests/pylorax/test_server.py
+++ b/tests/pylorax/test_server.py
@ -1530,6 +1530,9 @@ class ServerAPIV0TestCase(unittest.TestCase):
        resp = self.server.post("/api/v0/blueprints/undo/" + UTF8_TEST_STRING + "/deadbeef")
        self.assertInputError(resp)

+        resp = self.server.post("/api/v0/blueprints/undo/example-http-server/" + UTF8_TEST_STRING)
+        self.assertInputError(resp)
+
        resp = self.server.post("/api/v0/blueprints/undo/example-http-server/deadbeef?branch=" + UTF8_TEST_STRING)
        self.assertInputError(resp)