Skip to content

Commit deee8a5

Browse files
committed
[TT-16337] prevent use of special characters in policyID - visor comments
1 parent d9a050c commit deee8a5

File tree

2 files changed

+13
-17
lines changed

2 files changed

+13
-17
lines changed

gateway/api.go

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,7 @@ const (
7777
// KeyListingWorkerCountCap 350 is based on the average of 10000 keys with minor contingency
7878
KeyListingWorkerCountCap = 350
7979
KeyListingWorkerEntriesPerKey = 100
80+
errMsgInvalidPolicyID = "Invalid Policy ID. Allowed characters: a-z, A-Z, 0-9, ., _, -, ~"
8081
)
8182

8283
var (
@@ -1114,7 +1115,7 @@ func (gw *Gateway) handleAddOrUpdatePolicy(polID string, r *http.Request) (inter
11141115

11151116
if newPol.ID != "" && !isValidPolicyID(newPol.ID) {
11161117
log.WithField("id", newPol.ID).Error("Policy ID contains invalid characters")
1117-
return apiError("Invalid Policy ID in body. Allowed characters: a-z, A-Z, 0-9, ., _, -"), http.StatusBadRequest
1118+
return apiError(errMsgInvalidPolicyID), http.StatusBadRequest
11181119
}
11191120

11201121
if polID != "" && newPol.ID != polID && r.Method == http.MethodPut {
@@ -1564,7 +1565,7 @@ func (gw *Gateway) polHandler(w http.ResponseWriter, r *http.Request) {
15641565

15651566
if polID != "" && !isValidPolicyID(polID) {
15661567
log.WithField("id", polID).Error("Policy ID contains invalid characters")
1567-
doJSONWrite(w, http.StatusBadRequest, apiError("Invalid Policy ID. Allowed characters: a-z, A-Z, 0-9, ., _, -"))
1568+
doJSONWrite(w, http.StatusBadRequest, apiError(errMsgInvalidPolicyID))
15681569
return
15691570
}
15701571

@@ -1603,9 +1604,6 @@ func (gw *Gateway) polHandler(w http.ResponseWriter, r *http.Request) {
16031604
}
16041605

16051606
func isValidPolicyID(id string) bool {
1606-
if id == "" {
1607-
return true
1608-
}
16091607
return validPolicyIDRegex.MatchString(id)
16101608
}
16111609

gateway/api_test.go

Lines changed: 10 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -177,46 +177,44 @@ func TestPolicyAPI(t *testing.T) {
177177
t.Run("fails if ID contains invalid characters", func(t *testing.T) {
178178
invalidURLID := "invalid@id"
179179

180-
ts.Run(t, test.TestCase{
180+
_, err := ts.Run(t, test.TestCase{
181181
Path: "/tyk/policies/" + invalidURLID,
182182
Method: http.MethodGet,
183183
AdminAuth: true,
184184
Code: http.StatusBadRequest,
185-
BodyMatch: `Invalid Policy ID`,
185+
BodyMatch: "Invalid Policy ID",
186186
})
187+
assert.NoError(t, err)
187188

188189
invalidBodyPol := user.Policy{
189190
ID: "invalid/id",
190191
Rate: 100,
191192
Per: 1,
192193
OrgID: "54de205930c55e15bd000001",
193194
AccessRights: make(map[string]user.AccessDefinition),
194-
MetaData: nil,
195-
Tags: nil,
196195
}
197196

198-
ts.Run(t, test.TestCase{
197+
_, err = ts.Run(t, test.TestCase{
199198
Path: "/tyk/policies",
200199
Method: http.MethodPost,
201200
AdminAuth: true,
202201
Data: serializePolicy(t, invalidBodyPol),
203202
Code: http.StatusBadRequest,
204-
BodyMatch: `Invalid Policy ID in body`,
203+
BodyMatch: "Invalid Policy ID",
205204
})
205+
assert.NoError(t, err)
206206

207207
validID := "valid-id"
208-
ts.Gw.policiesMu.Lock()
209-
ts.Gw.policiesByID[validID] = invalidBodyPol
210-
ts.Gw.policiesMu.Unlock()
211208

212-
ts.Run(t, test.TestCase{
209+
_, err = ts.Run(t, test.TestCase{
213210
Path: "/tyk/policies/" + validID,
214211
Method: http.MethodPut,
215212
AdminAuth: true,
216-
Data: serializePolicy(t, invalidBodyPol),
213+
Data: serializePolicy(t, invalidBodyPol), // sending "invalid/id" in body
217214
Code: http.StatusBadRequest,
218-
BodyMatch: `Invalid Policy ID in body`,
215+
BodyMatch: "Invalid Policy ID",
219216
})
217+
assert.NoError(t, err)
220218
})
221219
}
222220

0 commit comments

Comments
 (0)