Skip to content

Commit

Permalink
upload: don't ignore BindJSON errors
Browse files Browse the repository at this point in the history
  • Loading branch information
alessio-perugini committed Oct 24, 2024
1 parent 63ef111 commit 3ae0ba0
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 2 deletions.
6 changes: 4 additions & 2 deletions conn.go
Original file line number Diff line number Diff line change
Expand Up @@ -80,9 +80,11 @@ type Upload struct {
var uploadStatusStr = "ProgrammerStatus"

func uploadHandler(c *gin.Context) {

data := new(Upload)
c.BindJSON(data)
if err := c.BindJSON(data); err != nil {
c.String(http.StatusBadRequest, fmt.Sprintf("err with the payload. %v", err.Error()))
return
}

log.Printf("%+v %+v %+v %+v %+v %+v", data.Port, data.Board, data.Rewrite, data.Commandline, data.Extra, data.Filename)

Expand Down
30 changes: 30 additions & 0 deletions main_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package main
import (
"bytes"
"crypto/x509"
"encoding/base64"
"encoding/json"
"encoding/pem"
"fmt"
Expand Down Expand Up @@ -56,6 +57,11 @@ func TestUploadHandlerAgainstEvilFileNames(t *testing.T) {
r.POST("/", uploadHandler)
ts := httptest.NewServer(r)

fmt.Println(base64.StdEncoding.EncodeToString([]byte("test")))

//Padding: dGVzdA==
//Raw: dGVzdA

uploadEvilFileName := Upload{
Port: "/dev/ttyACM0",
Board: "arduino:avr:uno",
Expand Down Expand Up @@ -87,6 +93,30 @@ func TestUploadHandlerAgainstEvilFileNames(t *testing.T) {
}
}

func TestUploadHandlerAgainstBase64WithoutPaddingMustFail(t *testing.T) {
r := gin.New()
r.POST("/", uploadHandler)
ts := httptest.NewServer(r)
defer ts.Close()

// When calling the `BindJSON` func, when a json field will be Unmarshaled
// in a []byte type, we expect to receive a base64 padded string in input.
// In case we receive a base64 unpadded string BindJSON fails.
// The expectation here is that the upload handler won't continue with the
// upload operation.
base64ContentWithoutPadding := base64.RawStdEncoding.EncodeToString([]byte("test"))
payload := fmt.Sprintf(`{"hex": "%s"}`, base64ContentWithoutPadding)

resp, err := http.Post(ts.URL, "encoding/json", bytes.NewBufferString(payload))
require.NoError(t, err)
require.Equal(t, http.StatusBadRequest, resp.StatusCode)

defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
require.NoError(t, err)
require.Contains(t, string(body), "err with the payload. illegal base64 data at input")
}

func TestInstallToolV2(t *testing.T) {

indexURL := "https://downloads.arduino.cc/packages/package_index.json"
Expand Down

0 comments on commit 3ae0ba0

Please sign in to comment.