Validate node id for log handler

This change updates the log handler to validate that the node id being passed in is an integer. If it is not an integer, the response will be a 400. Change-Id: Ida7a18a7261bf7fa98518a059d1de42690382d79 Closes-Bug: #1585160 (cherry picked from commit 9791794754)
2016-06-06 20:43:03 -06:00 · 2016-06-06 20:43:03 -06:00 · dd670526ab
parent fb491402d9
commit dd670526ab
2 changed files with 15 additions and 1 deletions
--- a/nailgun/nailgun/api/v1/handlers/logs.py
+++ b/nailgun/nailgun/api/v1/handlers/logs.py
@ -311,7 +311,12 @@ class LogEntryCollectionHandler(BaseHandler):
        if log_config['remote'] and not log_config.get('fake'):
            if not user_data.get('node'):
                raise self.http(400, "'node' must be specified")
-            node = objects.Node.get_by_uid(user_data.get('node'))
+            try:
+                node_id = int(user_data.get('node'))
+            except ValueError:
+                logger.debug("Invalid 'node' value: %r", user_data.get('node'))
+                raise self.http(400, "Invalid 'node' value")
+            node = objects.Node.get_by_uid(node_id)
            if not node:
                raise self.http(404, "Node not found")
            if not node.ip:
--- a/nailgun/nailgun/test/unit/test_logs_handlers.py
+++ b/nailgun/nailgun/test/unit/test_logs_handlers.py
@ -554,3 +554,12 @@ class TestLogs(BaseIntegrationTest):

        params = mcast.call_args_list[0][0]
        self.assertEqual(params[1]['args']['settings'], custom_config)
+
+    def test_logs_handler_with_invalid_id(self):
+        resp = self.app.get(
+            reverse('LogEntryCollectionHandler'),
+            params={'id': 'abcd'},
+            headers=self.default_headers,
+            expect_errors=True
+        )
+        self.assertEqual(400, resp.status_code)