swarm/api: Fix #18007, missing signature should return HTTP 400 (#18008)

6 years ago · 36ca85fa1c
parent b35165555d
commit 36ca85fa1c
2 changed files with 38 additions and 6 deletions
--- a/swarm/api/http/server.go
+++ b/swarm/api/http/server.go
@ -484,7 +484,8 @@ func (s *Server) HandlePostFeed(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if updateRequest.IsUpdate() {
+	switch {
+	case updateRequest.IsUpdate():
 		// Verify that the signature is intact and that the signer is authorized
 		// to update this feed
 		// Check this early, to avoid creating a feed and then not being able to set its first update.
@ -497,9 +498,8 @@ func (s *Server) HandlePostFeed(w http.ResponseWriter, r *http.Request) {
 			respondError(w, r, err.Error(), http.StatusInternalServerError)
 			return
 		}
-	}
-
-	if query.Get("manifest") == "1" {
+		fallthrough
+	case query.Get("manifest") == "1":
 		// we create a manifest so we can retrieve feed updates with bzz:// later
 		// this manifest has a special "feed type" manifest, and saves the
 		// feed identification used to retrieve feed updates later
@ -519,6 +519,8 @@ func (s *Server) HandlePostFeed(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprint(w, string(outdata))

 		w.Header().Add("Content-type", "application/json")
+	default:
+		respondError(w, r, "Missing signature in feed update request", http.StatusBadRequest)
 	}
 }

--- a/swarm/api/http/server_test.go
+++ b/swarm/api/http/server_test.go
@ -333,15 +333,45 @@ func TestBzzFeed(t *testing.T) {
 	}
 	urlQuery = testUrl.Query()
 	body = updateRequest.AppendValues(urlQuery) // this adds all query parameters
+	goodQueryParameters := urlQuery.Encode()    // save the query parameters for a second attempt
+
+	// create bad query parameters in which the signature is missing
+	urlQuery.Del("signature")
 	testUrl.RawQuery = urlQuery.Encode()

+	// 1st attempt with bad query parameters in which the signature is missing
 	resp, err = http.Post(testUrl.String(), "application/octet-stream", bytes.NewReader(body))
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
-		t.Fatalf("Update returned %s", resp.Status)
+	expectedCode := http.StatusBadRequest
+	if resp.StatusCode != expectedCode {
+		t.Fatalf("Update returned %s. Expected %d", resp.Status, expectedCode)
+	}
+
+	// 2nd attempt with bad query parameters in which the signature is of incorrect length
+	urlQuery.Set("signature", "0xabcd") // should be 130 hex chars
+	resp, err = http.Post(testUrl.String(), "application/octet-stream", bytes.NewReader(body))
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer resp.Body.Close()
+	expectedCode = http.StatusBadRequest
+	if resp.StatusCode != expectedCode {
+		t.Fatalf("Update returned %s. Expected %d", resp.Status, expectedCode)
+	}
+
+	// 3rd attempt, with good query parameters:
+	testUrl.RawQuery = goodQueryParameters
+	resp, err = http.Post(testUrl.String(), "application/octet-stream", bytes.NewReader(body))
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer resp.Body.Close()
+	expectedCode = http.StatusOK
+	if resp.StatusCode != expectedCode {
+		t.Fatalf("Update returned %s. Expected %d", resp.Status, expectedCode)
 	}

 	// get latest update through bzz-feed directly