Commit 362a3f7a authored by Vincent Pelletier's avatar Vincent Pelletier

wsgi: Catch JSON payload decoding errors.

parent d1fbca1f
...@@ -42,3 +42,7 @@ class CertificateVerificationError(CertificateAuthorityException): ...@@ -42,3 +42,7 @@ class CertificateVerificationError(CertificateAuthorityException):
class NotACertificateSigningRequest(CertificateAuthorityException): class NotACertificateSigningRequest(CertificateAuthorityException):
"""Provided value is not a certificate signing request""" """Provided value is not a certificate signing request"""
pass pass
class NotJSON(CertificateAuthorityException):
"""Provided value does not decode properly as JSON"""
pass
...@@ -1175,6 +1175,7 @@ class CaucaseTest(unittest.TestCase): ...@@ -1175,6 +1175,7 @@ class CaucaseTest(unittest.TestCase):
""" """
Mock CAU. Mock CAU.
""" """
digest_list = ['sha256']
def getCACertificateList(self): def getCACertificateList(self):
""" """
Return cau ca list. Return cau ca list.
...@@ -1319,6 +1320,12 @@ class CaucaseTest(unittest.TestCase): ...@@ -1319,6 +1320,12 @@ class CaucaseTest(unittest.TestCase):
'CONTENT_TYPE': 'application/json', 'CONTENT_TYPE': 'application/json',
'wsgi.input': StringIO('{"digest": null}'), 'wsgi.input': StringIO('{"digest": null}'),
})[0], UNAUTHORISED_STATUS) })[0], UNAUTHORISED_STATUS)
self.assertEqual(request({
'PATH_INFO': '/cau/crt/revoke',
'REQUEST_METHOD': 'PUT',
'CONTENT_TYPE': 'application/json',
'wsgi.input': StringIO('{"digest":"sha256","payload":""}'),
})[0], 400)
self.assertEqual(request({ self.assertEqual(request({
'PATH_INFO': '/cau/crt/revoke', 'PATH_INFO': '/cau/crt/revoke',
'REQUEST_METHOD': 'PUT', 'REQUEST_METHOD': 'PUT',
......
...@@ -33,7 +33,10 @@ from cryptography.hazmat.primitives.asymmetric import rsa ...@@ -33,7 +33,10 @@ from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives.asymmetric import padding from cryptography.hazmat.primitives.asymmetric import padding
import cryptography.exceptions import cryptography.exceptions
import pem import pem
from .exceptions import CertificateVerificationError from .exceptions import (
CertificateVerificationError,
NotJSON,
)
DEFAULT_DIGEST_LIST = ('sha256', 'sha384', 'sha512') DEFAULT_DIGEST_LIST = ('sha256', 'sha384', 'sha512')
DEFAULT_DIGEST = DEFAULT_DIGEST_LIST[0] DEFAULT_DIGEST = DEFAULT_DIGEST_LIST[0]
...@@ -262,7 +265,10 @@ def unwrap(wrapped, getCertificate, digest_list): ...@@ -262,7 +265,10 @@ def unwrap(wrapped, getCertificate, digest_list):
'%r is not in allowed digest list', '%r is not in allowed digest list',
) )
hash_class = getattr(hashes, digest.upper()) hash_class = getattr(hashes, digest.upper())
try:
payload = json.loads(wrapped['payload']) payload = json.loads(wrapped['payload'])
except ValueError:
raise NotJSON
x509.load_pem_x509_certificate( x509.load_pem_x509_certificate(
getCertificate(payload).encode('ascii'), getCertificate(payload).encode('ascii'),
_cryptography_backend, _cryptography_backend,
...@@ -283,7 +289,10 @@ def nullUnwrap(wrapped): ...@@ -283,7 +289,10 @@ def nullUnwrap(wrapped):
an authenticated user (and hence over a secure channel, HTTPS). an authenticated user (and hence over a secure channel, HTTPS).
""" """
assert wrapped['digest'] is None assert wrapped['digest'] is None
try:
return json.loads(wrapped['payload']) return json.loads(wrapped['payload'])
except ValueError:
raise NotJSON
def load_ca_certificate(data): def load_ca_certificate(data):
""" """
......
...@@ -169,6 +169,8 @@ class Application(object): ...@@ -169,6 +169,8 @@ class Application(object):
raise Conflict raise Conflict
except exceptions.NoStorage: except exceptions.NoStorage:
raise InsufficientStorage raise InsufficientStorage
except exceptions.NotJSON:
raise BadRequest('Invalid json payload')
except exceptions.CertificateAuthorityException, e: except exceptions.CertificateAuthorityException, e:
raise BadRequest(str(e)) raise BadRequest(str(e))
except Exception: except Exception:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment