catch for overly nested params with upload hash

2025-07-03 09:33:25 +02:00 · 2025-06-13 14:42:45 -05:00 · 2025-06-13 14:42:45 -05:00 · c8ff812643
commit c8ff812643
parent 343e85a3bc
2 changed files with 25 additions and 0 deletions
--- a/app/api.rb
+++ b/app/api.rb
@ -9,6 +9,13 @@ post '/api/upload_hash' do
  require_api_credentials
  res = {}
  files = []
+
+  params.each do |path, sha1_hash|
+    unless sha1_hash.is_a?(String)
+      api_error 400, 'nested_parameters_not_allowed', 'nested parameters are not allowed; each path must directly map to a SHA-1 hash string'
+    end
+  end
+
  params.each do |k,v|
    res[k] = current_site.sha1_hash_match? k, v
  end
--- a/tests/api_tests.rb
+++ b/tests/api_tests.rb
@ -241,6 +241,24 @@ describe 'api' do
      _(res[:files][:'test.jpg']).must_equal true
      _(res[:files][:'test2.jpg']).must_equal false
    end
+
+    it 'rejects nested parameter structures' do
+      create_site
+      basic_authorize @user, @pass
+
+      post '/api/upload_hash', {
+        "one/two" => {
+          "three" => {
+            ".jpg" => "196b99a0ab80d1fc2e7caf49d98e8dd76db25c72"
+          }
+        }
+      }
+
+      _(last_response.status).must_equal 400
+      _(res[:result]).must_equal 'error'
+      _(res[:error_type]).must_equal 'nested_parameters_not_allowed'
+      _(res[:message]).must_equal 'nested parameters are not allowed; each path must directly map to a SHA-1 hash string'
+    end
  end

  describe 'rename' do