[WebUI] Only accept application/json content-type requests

- Protects against CSRF (Cross-site request forgery)
This commit is contained in:
Calum Lind 2017-03-01 13:22:15 +00:00
parent ec5c8bafb6
commit 11e8957dea
2 changed files with 15 additions and 0 deletions

View File

@ -94,6 +94,7 @@ class JSONTestCase(JSONBase):
request.write = write request.write = write
request.write_was_called = False request.write_was_called = False
request._disconnected = False request._disconnected = False
request.getHeader.return_value = 'application/json'
self.assertEquals(json.render(request), server.NOT_DONE_YET) self.assertEquals(json.render(request), server.NOT_DONE_YET)
self.assertTrue(request.write_was_called) self.assertTrue(request.write_was_called)
@ -115,6 +116,15 @@ class JSONTestCase(JSONBase):
request.json = json_lib.dumps({'method': 'some.method', 'id': 0}) request.json = json_lib.dumps({'method': 'some.method', 'id': 0})
self.assertRaises(JSONException, json._handle_request, request) self.assertRaises(JSONException, json._handle_request, request)
def test_on_json_request_invalid_content_type(self):
"""Test for exception with content type not application/json"""
json = JSON()
request = MagicMock()
request.getHeader.return_value = 'text/plain'
json_data = {'method': 'some.method', 'id': 0, 'params': []}
request.json = json_lib.dumps(json_data)
self.assertRaises(JSONException, json._on_json_request, request)
class JSONCustomUserTestCase(JSONBase): class JSONCustomUserTestCase(JSONBase):
@ -252,6 +262,7 @@ class JSONRequestFailedTestCase(JSONBase, WebServerMockBase):
request.write = write request.write = write
request.write_was_called = False request.write_was_called = False
request._disconnected = False request._disconnected = False
request.getHeader.return_value = 'application/json'
json_data = {'method': 'testclass.test', 'id': 0, 'params': []} json_data = {'method': 'testclass.test', 'id': 0, 'params': []}
request.json = json_lib.dumps(json_data) request.json = json_lib.dumps(json_data)
d = json._on_json_request(request) d = json._on_json_request(request)

View File

@ -187,6 +187,10 @@ class JSON(resource.Resource, component.Component):
Handler to take the json data as a string and pass it on to the Handler to take the json data as a string and pass it on to the
_handle_request method for further processing. _handle_request method for further processing.
""" """
if request.getHeader('content-type') != 'application/json':
message = 'Invalid JSON request content-type: %s' % request.getHeader('content-type')
raise JSONException(message)
log.debug('json-request: %s', request.json) log.debug('json-request: %s', request.json)
response = {'result': None, 'error': None, 'id': None} response = {'result': None, 'error': None, 'id': None}
response['id'], d, response['error'] = self._handle_request(request) response['id'], d, response['error'] = self._handle_request(request)