zydronium/neocities
1
0
Fork 0
mirror of https://github.com/neocities/neocities.git synced 2025-07-03 09:33:25 +02:00
Code Issues Projects Releases Packages Wiki Activity

catch for overly nested params with upload hash

Browse source
This commit is contained in:
Kyle Drake 2025-06-13 14:42:45 -05:00
parent 343e85a3bc
commit c8ff812643
2 changed files with 25 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
app/api.rb
View file

@ -9,6 +9,13 @@ post '/api/upload_hash' do
require_api_credentials require_api_credentials
res = {} res = {}
files = [] files = []
params.each do |path, sha1_hash|
unless sha1_hash.is_a?(String)
api_error 400, 'nested_parameters_not_allowed', 'nested parameters are not allowed; each path must directly map to a SHA-1 hash string'
end
end
params.each do |k,v| params.each do |k,v|
res[k] = current_site.sha1_hash_match? k, v res[k] = current_site.sha1_hash_match? k, v
end end

18
tests/api_tests.rb
View file

@ -241,6 +241,24 @@ describe 'api' do
_(res[:files][:'test.jpg']).must_equal true _(res[:files][:'test.jpg']).must_equal true
_(res[:files][:'test2.jpg']).must_equal false _(res[:files][:'test2.jpg']).must_equal false
end end
it 'rejects nested parameter structures' do
create_site
basic_authorize @user, @pass
post '/api/upload_hash', {
"one/two" => {
"three" => {
".jpg" => "196b99a0ab80d1fc2e7caf49d98e8dd76db25c72"
}
}
}
_(last_response.status).must_equal 400
_(res[:result]).must_equal 'error'
_(res[:error_type]).must_equal 'nested_parameters_not_allowed'
_(res[:message]).must_equal 'nested parameters are not allowed; each path must directly map to a SHA-1 hash string'
end
end end
describe 'rename' do describe 'rename' do