From 36ca85fa1c2936087b2c3d976d3576f0f5d2157e Mon Sep 17 00:00:00 2001 From: Javier Peletier Date: Wed, 7 Nov 2018 14:49:42 +0100 Subject: swarm/api: Fix #18007, missing signature should return HTTP 400 (#18008) --- swarm/api/http/server.go | 10 ++++++---- swarm/api/http/server_test.go | 34 ++++++++++++++++++++++++++++++++-- 2 files changed, 38 insertions(+), 6 deletions(-) (limited to 'swarm') diff --git a/swarm/api/http/server.go b/swarm/api/http/server.go index e9005104e..803b78987 100644 --- a/swarm/api/http/server.go +++ b/swarm/api/http/server.go @@ -484,7 +484,8 @@ func (s *Server) HandlePostFeed(w http.ResponseWriter, r *http.Request) { return } - if updateRequest.IsUpdate() { + switch { + case updateRequest.IsUpdate(): // Verify that the signature is intact and that the signer is authorized // to update this feed // Check this early, to avoid creating a feed and then not being able to set its first update. @@ -497,9 +498,8 @@ func (s *Server) HandlePostFeed(w http.ResponseWriter, r *http.Request) { respondError(w, r, err.Error(), http.StatusInternalServerError) return } - } - - if query.Get("manifest") == "1" { + fallthrough + case query.Get("manifest") == "1": // we create a manifest so we can retrieve feed updates with bzz:// later // this manifest has a special "feed type" manifest, and saves the // feed identification used to retrieve feed updates later @@ -519,6 +519,8 @@ func (s *Server) HandlePostFeed(w http.ResponseWriter, r *http.Request) { fmt.Fprint(w, string(outdata)) w.Header().Add("Content-type", "application/json") + default: + respondError(w, r, "Missing signature in feed update request", http.StatusBadRequest) } } diff --git a/swarm/api/http/server_test.go b/swarm/api/http/server_test.go index 1cf7ff577..159c8a159 100644 --- a/swarm/api/http/server_test.go +++ b/swarm/api/http/server_test.go @@ -333,15 +333,45 @@ func TestBzzFeed(t *testing.T) { } urlQuery = testUrl.Query() body = updateRequest.AppendValues(urlQuery) // this adds all query parameters + goodQueryParameters := urlQuery.Encode() // save the query parameters for a second attempt + + // create bad query parameters in which the signature is missing + urlQuery.Del("signature") testUrl.RawQuery = urlQuery.Encode() + // 1st attempt with bad query parameters in which the signature is missing resp, err = http.Post(testUrl.String(), "application/octet-stream", bytes.NewReader(body)) if err != nil { t.Fatal(err) } defer resp.Body.Close() - if resp.StatusCode != http.StatusOK { - t.Fatalf("Update returned %s", resp.Status) + expectedCode := http.StatusBadRequest + if resp.StatusCode != expectedCode { + t.Fatalf("Update returned %s. Expected %d", resp.Status, expectedCode) + } + + // 2nd attempt with bad query parameters in which the signature is of incorrect length + urlQuery.Set("signature", "0xabcd") // should be 130 hex chars + resp, err = http.Post(testUrl.String(), "application/octet-stream", bytes.NewReader(body)) + if err != nil { + t.Fatal(err) + } + defer resp.Body.Close() + expectedCode = http.StatusBadRequest + if resp.StatusCode != expectedCode { + t.Fatalf("Update returned %s. Expected %d", resp.Status, expectedCode) + } + + // 3rd attempt, with good query parameters: + testUrl.RawQuery = goodQueryParameters + resp, err = http.Post(testUrl.String(), "application/octet-stream", bytes.NewReader(body)) + if err != nil { + t.Fatal(err) + } + defer resp.Body.Close() + expectedCode = http.StatusOK + if resp.StatusCode != expectedCode { + t.Fatalf("Update returned %s. Expected %d", resp.Status, expectedCode) } // get latest update through bzz-feed directly -- cgit v1.2.3