Skip to content

Commit 3ae0ba0

Browse files
alessio-peruginialessio-perugini
committed
upload: don't ignore BindJSON errors
1 parent 63ef111 commit 3ae0ba0

File tree

2 files changed

+34
-2
lines changed

2 files changed

+34
-2
lines changed

conn.go

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -80,9 +80,11 @@ type Upload struct {
8080
var uploadStatusStr = "ProgrammerStatus"
8181

8282
func uploadHandler(c *gin.Context) {
83-
8483
data := new(Upload)
85-
c.BindJSON(data)
84+
if err := c.BindJSON(data); err != nil {
85+
c.String(http.StatusBadRequest, fmt.Sprintf("err with the payload. %v", err.Error()))
86+
return
87+
}
8688

8789
log.Printf("%+v %+v %+v %+v %+v %+v", data.Port, data.Board, data.Rewrite, data.Commandline, data.Extra, data.Filename)
8890

main_test.go

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ package main
1818
import (
1919
"bytes"
2020
"crypto/x509"
21+
"encoding/base64"
2122
"encoding/json"
2223
"encoding/pem"
2324
"fmt"
@@ -56,6 +57,11 @@ func TestUploadHandlerAgainstEvilFileNames(t *testing.T) {
5657
r.POST("/", uploadHandler)
5758
ts := httptest.NewServer(r)
5859

60+
fmt.Println(base64.StdEncoding.EncodeToString([]byte("test")))
61+
62+
//Padding: dGVzdA==
63+
//Raw: dGVzdA
64+
5965
uploadEvilFileName := Upload{
6066
Port: "/dev/ttyACM0",
6167
Board: "arduino:avr:uno",
@@ -87,6 +93,30 @@ func TestUploadHandlerAgainstEvilFileNames(t *testing.T) {
8793
}
8894
}
8995

96+
func TestUploadHandlerAgainstBase64WithoutPaddingMustFail(t *testing.T) {
97+
r := gin.New()
98+
r.POST("/", uploadHandler)
99+
ts := httptest.NewServer(r)
100+
defer ts.Close()
101+
102+
// When calling the `BindJSON` func, when a json field will be Unmarshaled
103+
// in a []byte type, we expect to receive a base64 padded string in input.
104+
// In case we receive a base64 unpadded string BindJSON fails.
105+
// The expectation here is that the upload handler won't continue with the
106+
// upload operation.
107+
base64ContentWithoutPadding := base64.RawStdEncoding.EncodeToString([]byte("test"))
108+
payload := fmt.Sprintf(`{"hex": "%s"}`, base64ContentWithoutPadding)
109+
110+
resp, err := http.Post(ts.URL, "encoding/json", bytes.NewBufferString(payload))
111+
require.NoError(t, err)
112+
require.Equal(t, http.StatusBadRequest, resp.StatusCode)
113+
114+
defer resp.Body.Close()
115+
body, err := io.ReadAll(resp.Body)
116+
require.NoError(t, err)
117+
require.Contains(t, string(body), "err with the payload. illegal base64 data at input")
118+
}
119+
90120
func TestInstallToolV2(t *testing.T) {
91121

92122
indexURL := "https://downloads.arduino.cc/packages/package_index.json"

0 commit comments

Comments
 (0)