Commits

Anonymous committed 8936a4b

make sure the user only supplies a supported deployment
connection type (sftp at this point). This avoids potential issues with
malicious users attempting to use a file:// url.

Comments (0)

Files changed (3)

backend/python/bespin/controllers.py

     deploy_options = dict(remote_host = data.get("remoteHost"),
         remote_directory = data.get("remoteDirectory"),
         type = data.get("connType"))
-    pdo = deploy.ProjectDeploymentOptions(project, **deploy_options)
-    pdo.save()
+    
+    try:
+        pdo = deploy.ProjectDeploymentOptions(project, **deploy_options)
+        pdo.save()
+    except deploy.InvalidConfiguration, e:
+        raise BadRequest(e.message)
     
     keychain = deploy.DeploymentKeyChain(user, data['kcpass'])
     if data['authType'] == "ssh":

backend/python/bespin/deploy.py

 class ProjectDeploymentOptions(object):
     """Manages the deployment options for a project."""
     
+    supported_types = set(['sftp'])
+    
     @classmethod
     def get(cls, project):
         """Retrieve the deployment options for this project.
         return cls(project, **kw)
     
     def __init__(self, project, remote_host, remote_directory, type):
+        if type not in self.supported_types:
+            raise InvalidConfiguration("Type must be one of %s" %
+                (",".join(self.supported_types)))
         self.project = project
         self.remote_host = remote_host
         self.remote_directory = remote_directory
 class NotConfigured(Exception):
     pass
 
+class InvalidConfiguration(Exception):
+    pass
+
 class OmniSyncExit(Exception):
     def __init__(self, return_code):
         super(OmniSyncExit, self).__init__()

backend/python/bespin/tests/test_deploy.py

     assert data['error'] == "Deployment is not yet configured."
     assert data['notConfigured'] == True
     
+def test_deployment_setup_with_illegal_parameters():
+    _init_data()
+    bigmac = get_project(macgyver, macgyver, "bigmac", create=True)
+    resp = app.put("/project/deploy/bigmac/setup", dumps(dict(
+        remoteHost="macgyver.com",
+        remoteDirectory="/home/macgyver/knownunknowns",
+        connType="file",
+        kcpass="sekretkeychain",
+        authType="ssh",
+        username="macman")), status=400)
+    
+    
 @patch("bespin.deploy._launch_sync")
 def test_deployment_runs(launch_sync):
     _init_data()