Guard against connecting to non-BacDive URLs

TIBHannover · Aug 11, 2019 · c83f089 · c83f089
1 parent 4ca7f5d
commit c83f089
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 2 deletions.
diff --git a/NEWS.md b/NEWS.md
@@ -9,6 +9,8 @@
 
 - A cleaner solution for bug #110 was implemented, which does not
   rely on supplying `user` and `password` arguments in `download()`.
+- `download()` now checks for valid BacDive URLs to prevent
+  exfiltration of credentials to a non-BacDive domain.
 
 ## BacDiveR 0.9.1
 

diff --git a/R/util-download.R b/R/util-download.R
@@ -10,6 +10,13 @@
 #' @import httr
 #' @importFrom jsonlite fromJSON
 download <- function(URL) {
+
+  # Check for valid BacDive URL
+  if (!grepl("^https:\\/\\/bacdive\\.dsmz\\.de\\/api\\/bacdive", URL) |
+    !grepl("?format=json$", URL)) {
+    stop("I refuse to connect to", URL, "because it's not a BacDive URL!")
+  }
+
   message(URLs_to_IDs(URL), " ", appendLF = FALSE)
   cred <- get_credentials()
 

diff --git a/tests/testthat/test-download.R b/tests/testthat/test-download.R
@@ -1,5 +1,6 @@
+random <- paste(sample(letters, 16), collapse = "")
+
 test_that("Downloading without preper credentials raises an error", {
-  random <- sample(letters, 8)
 
   # arrange
   r_env_file <- construct_Renviron_path()
@@ -14,8 +15,22 @@ test_that("Downloading without preper credentials raises an error", {
   }
 
   # act & assert
-  expect_error(download(construct_url(717)))
+  expect_error(download(construct_url(717)), regexp = "Check your credentials")
 
   # clean up
   file.copy(r_env_backup, r_env_file, overwrite = TRUE)
 })
+
+test_that("Downloader refuses unexpected URLs", {
+  error_regex <- "refus\\w{,3} to connect"
+
+  expect_error(
+    download(paste0("http://evil.", random, "-api.net/?format=json")),
+    error_regex
+  )
+
+  expect_error(
+    download(paste0("https://bacdiveZdsmz.de/api/bacdive/?format=json")),
+    error_regex
+  )
+})