Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

remote_server: Validate zulip_org_id submitted by registering server. 

zulip_org_id is supposed to be a UUID, so we want to actually validate
the format, not only check the length.
This commit is contained in:
Mateusz Mandera 2021-12-22 11:02:02 +01:00 committed by Tim Abbott
parent 42dd58cffe
commit e48120fd12
2 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
zerver/tests/test_push_notifications.py
View File

@ -2455,6 +2455,18 @@ class PushBouncerSignupTest(ZulipTestCase):
result = self.client_post("/api/v1/remotes/server/register", request) result = self.client_post("/api/v1/remotes/server/register", request)
self.assert_json_error(result, "Enter a valid email address.") self.assert_json_error(result, "Enter a valid email address.")
def test_push_signup_invalid_zulip_org_id(self) -> None:
zulip_org_id = "x" * RemoteZulipServer.UUID_LENGTH
zulip_org_key = get_random_string(64)
request = dict(
zulip_org_id=zulip_org_id,
zulip_org_key=zulip_org_key,
hostname="example.com",
contact_email="server-admin@example.com",
)
result = self.client_post("/api/v1/remotes/server/register", request)
self.assert_json_error(result, "Invalid UUID")
def test_push_signup_success(self) -> None: def test_push_signup_success(self) -> None:
zulip_org_id = str(uuid.uuid4()) zulip_org_id = str(uuid.uuid4())
zulip_org_key = get_random_string(64) zulip_org_key = get_random_string(64)

13
zilencer/views.py
View File

@ -1,6 +1,7 @@
import datetime import datetime
import logging import logging
from typing import Any, Dict, List, Optional, Union from typing import Any, Dict, List, Optional, Union
from uuid import UUID
from django.core.exceptions import ValidationError from django.core.exceptions import ValidationError
from django.core.validators import URLValidator, validate_email from django.core.validators import URLValidator, validate_email
@ -50,6 +51,13 @@ def validate_entity(entity: Union[UserProfile, RemoteZulipServer]) -> RemoteZuli
return entity return entity
def validate_uuid(uuid: str) -> None:
try:
UUID(uuid, version=4)
except ValueError:
raise ValidationError(err_("Invalid UUID"))
def validate_bouncer_token_request( def validate_bouncer_token_request(
entity: Union[UserProfile, RemoteZulipServer], token: str, kind: int entity: Union[UserProfile, RemoteZulipServer], token: str, kind: int
) -> RemoteZulipServer: ) -> RemoteZulipServer:
@ -89,6 +97,11 @@ def register_remote_server(
except ValidationError as e: except ValidationError as e:
raise JsonableError(e.message) raise JsonableError(e.message)
try:
validate_uuid(zulip_org_id)
except ValidationError as e:
raise JsonableError(e.message)
remote_server, created = RemoteZulipServer.objects.get_or_create( remote_server, created = RemoteZulipServer.objects.get_or_create(
uuid=zulip_org_id, uuid=zulip_org_id,
defaults={"hostname": hostname, "contact_email": contact_email, "api_key": zulip_org_key}, defaults={"hostname": hostname, "contact_email": contact_email, "api_key": zulip_org_key},