remote_server: Validate zulip_org_id submitted by registering server.

zulip_org_id is supposed to be a UUID, so we want to actually validate the format, not only check the length.
2021-12-22 11:02:02 +01:00 · 2021-12-22 11:02:02 +01:00 · e48120fd12
parent 42dd58cffe
commit e48120fd12
2 changed files with 25 additions and 0 deletions
--- a/zerver/tests/test_push_notifications.py
+++ b/zerver/tests/test_push_notifications.py
@ -2455,6 +2455,18 @@ class PushBouncerSignupTest(ZulipTestCase):
        result = self.client_post("/api/v1/remotes/server/register", request)
        self.assert_json_error(result, "Enter a valid email address.")

+    def test_push_signup_invalid_zulip_org_id(self) -> None:
+        zulip_org_id = "x" * RemoteZulipServer.UUID_LENGTH
+        zulip_org_key = get_random_string(64)
+        request = dict(
+            zulip_org_id=zulip_org_id,
+            zulip_org_key=zulip_org_key,
+            hostname="example.com",
+            contact_email="server-admin@example.com",
+        )
+        result = self.client_post("/api/v1/remotes/server/register", request)
+        self.assert_json_error(result, "Invalid UUID")
+
    def test_push_signup_success(self) -> None:
        zulip_org_id = str(uuid.uuid4())
        zulip_org_key = get_random_string(64)
--- a/zilencer/views.py
+++ b/zilencer/views.py
@ -1,6 +1,7 @@
 import datetime
 import logging
 from typing import Any, Dict, List, Optional, Union
+from uuid import UUID

 from django.core.exceptions import ValidationError
 from django.core.validators import URLValidator, validate_email
@ -50,6 +51,13 @@ def validate_entity(entity: Union[UserProfile, RemoteZulipServer]) -> RemoteZuli
    return entity


+def validate_uuid(uuid: str) -> None:
+    try:
+        UUID(uuid, version=4)
+    except ValueError:
+        raise ValidationError(err_("Invalid UUID"))
+
+
 def validate_bouncer_token_request(
    entity: Union[UserProfile, RemoteZulipServer], token: str, kind: int
 ) -> RemoteZulipServer:
@ -89,6 +97,11 @@ def register_remote_server(
    except ValidationError as e:
        raise JsonableError(e.message)

+    try:
+        validate_uuid(zulip_org_id)
+    except ValidationError as e:
+        raise JsonableError(e.message)
+
    remote_server, created = RemoteZulipServer.objects.get_or_create(
        uuid=zulip_org_id,
        defaults={"hostname": hostname, "contact_email": contact_email, "api_key": zulip_org_key},