From 5ce643121cfa89fa05d1fe585064988435b70fab Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Jun 14 2018 13:04:44 +0000 Subject: Allow gcc-c++. This is a valid package for a client to request in a compose. --- diff --git a/server/odcs/server/api_utils.py b/server/odcs/server/api_utils.py index 072f7aa..3cebdfd 100644 --- a/server/odcs/server/api_utils.py +++ b/server/odcs/server/api_utils.py @@ -142,7 +142,7 @@ def raise_if_input_not_allowed(**kwargs): % (flask.g.user.username, name, value)) -def validate_json_data(dict_or_list, level=0): +def validate_json_data(dict_or_list, level=0, last_dict_key=None): """ Checks that json data represented by dict `dict_or_list` is valid ODCS input. Raises ValueError in case the json data does not pass validation. @@ -162,10 +162,14 @@ def validate_json_data(dict_or_list, level=0): if level != 0 or k not in ["source"]: raise ValueError( "Only 'source' key is allowed to contain dict.") - validate_json_data(v, level + 1) + validate_json_data(v, level + 1, k) elif isinstance(v, list): validate_json_data(v, level + 1) elif isinstance(v, six.string_types): + # Packages are stored in comps.xml, not in pungi.conf, so it is + # not exploitable. + if last_dict_key in ["packages"]: + continue allowed_chars = [' ', '-', '/', '_', '.', ':', '#'] if not all(c.isalnum() or c in allowed_chars for c in v): raise ValueError( diff --git a/server/tests/test_views.py b/server/tests/test_views.py index 58820bd..7ff0bf3 100644 --- a/server/tests/test_views.py +++ b/server/tests/test_views.py @@ -88,6 +88,10 @@ class TestValidateJSONData(unittest.TestCase): data = {"source": {"x": PropertyMock()}} self.assertRaises(ValueError, validate_json_data, data) + def test_validate_json_data_allowed_package(self): + data = {"packages": ["gcc-g++"]} + validate_json_data(data) + class ViewBaseTest(ModelsBaseTest):