[ARVADOS] created: 629557aa041a80f0704b02e7c679b2f01d9c0be2

Git user git at public.curoverse.com
Tue Apr 25 13:02:48 EDT 2017 

        at  629557aa041a80f0704b02e7c679b2f01d9c0be2 (commit)


commit 629557aa041a80f0704b02e7c679b2f01d9c0be2
Author: Tom Clegg <tom at curoverse.com>
Date:   Tue Apr 25 12:57:11 2017 -0400

    11544: Return 404 instead of 500 for malformed collection IDs.

diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go
index a79973b..620ed9c 100644
--- a/services/keep-web/handler.go
+++ b/services/keep-web/handler.go
@@ -157,17 +157,19 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 	} else if len(pathParts) >= 3 && pathParts[0] == "collections" {
 		if len(pathParts) >= 5 && pathParts[1] == "download" {
 			// /collections/download/ID/TOKEN/PATH...
-			targetID = pathParts[2]
+			targetID = parseCollectionIDFromURL(pathParts[2])
 			tokens = []string{pathParts[3]}
 			targetPath = pathParts[4:]
 			pathToken = true
 		} else {
 			// /collections/ID/PATH...
-			targetID = pathParts[1]
+			targetID = parseCollectionIDFromURL(pathParts[1])
 			tokens = h.Config.AnonymousTokens
 			targetPath = pathParts[2:]
 		}
-	} else {
+	}
+
+	if targetID == "" {
 		statusCode = http.StatusNotFound
 		return
 	}
diff --git a/services/keep-web/handler_test.go b/services/keep-web/handler_test.go
index 86e1409..57ac219 100644
--- a/services/keep-web/handler_test.go
+++ b/services/keep-web/handler_test.go
@@ -49,6 +49,35 @@ func (s *UnitSuite) TestCORSPreflight(c *check.C) {
 	c.Check(resp.Code, check.Equals, http.StatusMethodNotAllowed)
 }
 
+func (s *UnitSuite) TestInvalidUUID(c *check.C) {
+	bogusID := strings.Replace(arvadostest.FooPdh, "+", "-", 1) + "-"
+	token := arvadostest.ActiveToken
+	for _, trial := range []string{
+		"http://keep-web/c=" + bogusID + "/foo",
+		"http://keep-web/c=" + bogusID + "/t=" + token + "/foo",
+		"http://keep-web/collections/download/" + bogusID + "/" + token + "/foo",
+		"http://keep-web/collections/" + bogusID + "/foo",
+		"http://" + bogusID + ".keep-web/" + bogusID + "/foo",
+		"http://" + bogusID + ".keep-web/t=" + token + "/" + bogusID + "/foo",
+	} {
+		c.Log(trial)
+		u, err := url.Parse(trial)
+		c.Assert(err, check.IsNil)
+		req := &http.Request{
+			Method:     "GET",
+			Host:       u.Host,
+			URL:        u,
+			RequestURI: u.RequestURI(),
+		}
+		resp := httptest.NewRecorder()
+		h := handler{Config: &Config{
+			AnonymousTokens: []string{arvadostest.AnonymousToken},
+		}}
+		h.ServeHTTP(resp, req)
+		c.Check(resp.Code, check.Equals, http.StatusNotFound)
+	}
+}
+
 func mustParseURL(s string) *url.URL {
 	r, err := url.Parse(s)
 	if err != nil {

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list