From 6d61a59b131ee6c277a6aa04702ba4da480790dc Mon Sep 17 00:00:00 2001 From: mprahl Date: Fri, 15 Mar 2019 15:38:30 -0400 Subject: [PATCH] Clean up the valid API parameters The MBS submission API endpoint should not accept every parameter that is also a column on the ModuleBuild table. There are two reasons for this. The first is that a user should be notified if the supplied parameter is invalid, whereas it could get silently ignored. The second reason is that a nefarious user could pass in specially crafted API parameters causing MBS to do something unexpected or undesired. --- module_build_service/views.py | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/module_build_service/views.py b/module_build_service/views.py index 8b022150..e027e78f 100644 --- a/module_build_service/views.py +++ b/module_build_service/views.py @@ -314,6 +314,19 @@ class ImportModuleAPI(MethodView): class BaseHandler(object): + valid_params = set([ + 'branch', + 'buildrequire_overrides', + 'modulemd', + 'module_name', + 'owner', + 'rebuild_strategy', + 'require_overrides', + 'scmurl', + 'scratch', + 'srpms' + ]) + def __init__(self, request, data=None): self.username, self.groups = module_build_service.auth.get_user(request) self.data = data or _dict_from_request(request) @@ -361,18 +374,7 @@ class BaseHandler(object): raise ValidationError(invalid_override_msg) def validate_optional_params(self): - module_build_columns = set([col.key for col in models.ModuleBuild.__table__.columns]) - other_params = set([ - 'branch', - 'buildrequire_overrides', - 'modulemd', - 'module_name', - 'rebuild_strategy', - 'require_overrides', - ]) - valid_params = other_params | module_build_columns - - forbidden_params = [k for k in self.data if k not in valid_params] + forbidden_params = [k for k in self.data if k not in self.valid_params] if forbidden_params: raise ValidationError('The request contains unspecified parameters: {}' .format(", ".join(forbidden_params)))