From 5275dc7ea969f64ea979cdd985344488d66b434b Mon Sep 17 00:00:00 2001 From: Pierre-Yves Chibon Date: Mar 17 2020 14:28:03 +0000 Subject: Validate the input submitted for the bugzilla overrides Basically, we are now checking that the input submitted in the form for the bugzilla overrides is either a known user or a known group to pagure's DB. Signed-off-by: Pierre-Yves Chibon --- diff --git a/pagure_distgit/plugin.py b/pagure_distgit/plugin.py index 7df6bb6..1757e33 100644 --- a/pagure_distgit/plugin.py +++ b/pagure_distgit/plugin.py @@ -411,6 +411,25 @@ def bzoverride_patch_endpoint(repo, namespace): """ Updates the default assignees of this package. """ + def _validate_input(inputname): + """ Validate if the input is either an username or a group name. """ + valid = False + if inputname.startswith("@"): + group = pagure.lib.query.search_groups( + flask.g.session, group_name=inputname[1:] + ) + if group: + valid = True + + else: + user_obj = pagure.lib.query.search_user( + flask.g.session, username=inputname + ) + if user_obj: + valid = True + + return valid + repo = _get_repo(repo, namespace=namespace) is_site_admin = pagure.utils.is_admin() @@ -426,10 +445,22 @@ def bzoverride_patch_endpoint(repo, namespace): fedora_assignee = None if form.fedora_assignee.data: fedora_assignee = form.fedora_assignee.data.strip() or None + if fedora_assignee and not _validate_input(fedora_assignee): + raise pagure.exceptions.APIError( + 400, + error_code=APIERROR.EINVALIDREQ, + errors=["Invalid user or group name as fedora_assignee"], + ) epel_assignee = None if form.epel_assignee.data: epel_assignee = form.epel_assignee.data.strip() or None + if epel_assignee and not _validate_input(epel_assignee): + raise pagure.exceptions.APIError( + 400, + error_code=APIERROR.EINVALIDREQ, + errors=["Invalid user or group name as epel_assignee"], + ) try: if repo.bzoverride: diff --git a/pagure_distgit_tests/bugzilla_overrides_tests.py b/pagure_distgit_tests/bugzilla_overrides_tests.py index d1520d5..a81cf64 100644 --- a/pagure_distgit_tests/bugzilla_overrides_tests.py +++ b/pagure_distgit_tests/bugzilla_overrides_tests.py @@ -84,6 +84,46 @@ class PagureFlaskApiProjectBZOverrideTests(tests.Modeltests): data = json.loads(output.get_data(as_text=True)) self.assertDictEqual(data, datainput) + def test_change_invalid_fedora_assignee(self): + """Test the bz endpoint when changing the Fedora assignee while keeping + the EPEL one. + """ + headers = {"Authorization": "token aaabbbcccddd"} + datainput = {"epel_assignee": "foo", "fedora_assignee": "invalid"} + expected_result = { + "error": "Invalid or incomplete input submitted", + "error_code": "EINVALIDREQ", + "errors": ["Invalid user or group name as fedora_assignee"], + } + output = self.app.post( + "/_dg/bzoverrides/somenamespace/test3", + data=datainput, + headers=headers, + ) + self.assertEqual(output.status_code, 400) + data = json.loads(output.get_data(as_text=True)) + self.assertDictEqual(data, expected_result) + + def test_change_invalid_fedora_group_assignee(self): + """Test the bz endpoint when changing the Fedora assignee while keeping + the EPEL one. + """ + headers = {"Authorization": "token aaabbbcccddd"} + datainput = {"epel_assignee": "foo", "fedora_assignee": "@invalid"} + expected_result = { + "error": "Invalid or incomplete input submitted", + "error_code": "EINVALIDREQ", + "errors": ["Invalid user or group name as fedora_assignee"], + } + output = self.app.post( + "/_dg/bzoverrides/somenamespace/test3", + data=datainput, + headers=headers, + ) + self.assertEqual(output.status_code, 400) + data = json.loads(output.get_data(as_text=True)) + self.assertDictEqual(data, expected_result) + def test_change_epel_assignee(self): """Test the bz endpoint when changing the EPEL assignee while keeping the Fedora one. @@ -103,6 +143,46 @@ class PagureFlaskApiProjectBZOverrideTests(tests.Modeltests): data = json.loads(output.get_data(as_text=True)) self.assertDictEqual(data, expected_result) + def test_change_invalid_epel_assignee(self): + """Test the bz endpoint when changing the EPEL assignee while keeping + the Fedora one. + """ + headers = {"Authorization": "token aaabbbcccddd"} + datainput = {"epel_assignee": "invalid", "fedora_assignee": None} + expected_result = { + "error": "Invalid or incomplete input submitted", + "error_code": "EINVALIDREQ", + "errors": ["Invalid user or group name as epel_assignee"], + } + output = self.app.post( + "/_dg/bzoverrides/somenamespace/test3", + data=datainput, + headers=headers, + ) + self.assertEqual(output.status_code, 400) + data = json.loads(output.get_data(as_text=True)) + self.assertDictEqual(data, expected_result) + + def test_change_invalid_epel_group_assignee(self): + """Test the bz endpoint when changing the EPEL assignee while keeping + the Fedora one. + """ + headers = {"Authorization": "token aaabbbcccddd"} + datainput = {"epel_assignee": "@invalid", "fedora_assignee": None} + expected_result = { + "error": "Invalid or incomplete input submitted", + "error_code": "EINVALIDREQ", + "errors": ["Invalid user or group name as epel_assignee"], + } + output = self.app.post( + "/_dg/bzoverrides/somenamespace/test3", + data=datainput, + headers=headers, + ) + self.assertEqual(output.status_code, 400) + data = json.loads(output.get_data(as_text=True)) + self.assertDictEqual(data, expected_result) + def test_reset_fedora_assignees(self): """Test the bz endpoint when resetting the Fedora assignee. """ @@ -189,7 +269,6 @@ class PagureFlaskApiProjectBZOverrideTests(tests.Modeltests): repo = pagure.lib.query.get_authorized_project( self.session, "test3", namespace="somenamespace", ) - print(repo.bzoverride) self.assertIsNone(repo.bzoverride) def test_changing_assignees_logged_in_invalid_user(self):