Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate that common data parameter values between URL dynamic route segments and POST data are equal #40

Open
arschles opened this issue Apr 18, 2016 · 5 comments
Open

Validate that common data parameter values between URL dynamic route segments and POST data are equal #40

arschles opened this issue Apr 18, 2016 · 5 comments
Labels
enhancement

Comments

@arschles
Copy link
Member

No description provided.

@arschles arschles added this to the v2.0-beta3 milestone Apr 18, 2016
@arschles
Copy link
Member Author

I'm pushing this to beta4

@arschles arschles modified the milestones: v2.0-beta4, v2.0-beta3 Apr 25, 2016
@arschles
Copy link
Member Author

arschles commented May 9, 2016

@jackfrancis can you write a short summary for the work represented in this issue? A few small examples would also be helpful. Punting to RC1 for now

@arschles arschles modified the milestones: v2.0-rc1, v2.0-beta4 May 9, 2016
@jackfrancis
Copy link
Member

For example, this route+handler definition:

r.Handle("/{apiVersion}/versions/{component}/{train}/{version}", handlers.PublishVersion(db)).Methods("POST").
        Headers(handlers.ContentTypeHeaderKey, handlers.JSONContentType)

handlers.PublishVersion performs the following business logic:

func PublishVersion(db *gorm.DB) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        componentVersion := types.ComponentVersion{}
        err := json.NewDecoder(r.Body).Decode(&componentVersion)
        if err != nil {
            log.Printf("Error decoding POST body JSON data (%s)", err)
            return
        }
        //TODO: validate request body parameter values for "component", "train", and "version"
        // match the values passed in with the URL
        routeParams := mux.Vars(r)
        componentVersion.Component.Name = routeParams["component"]
        componentVersion.Version.Train = routeParams["train"]
        componentVersion.Version.Version = routeParams["version"]
<truncated>

Essentially, it "throws away" the component.name, version.train, and version.version property values passed in w/ the request body and replaces those with the values present in the route URL.

This ticket is to consider validating that the property values included in the HTTP POST body data match those in the route URL. I suppose the scope is still TBD, but it'll be one of these:

  • require that all 3 properties ("component", "train", "version") be present in the body data, and that they match their respective property values in the URL
  • make the 3 properties optional in the body data, but if any of them are present, ensure that they match their respective values in the URL

I prefer the 1st approach, as it's easier to implement and it enforces more sane input requirements, in my opinion (a JSON representation of a ComponentVersion doesn't really make sense without having a "component name", and a "train", and a "version" string).

@arschles arschles mentioned this issue May 20, 2016
Closed
@arschles
Copy link
Member Author

Requires #138 to be merged first. Bumping this from RC1 as it's not required for the release and can be pushed to production shortly thereafter.

@arschles arschles modified the milestones: v2.0, v2.0-rc1 May 23, 2016
@slack slack removed this from the v2.0 milestone Jun 3, 2016
@jackfrancis
Copy link
Member

Post-Swaggergeddon we should validate that the above scenario is still correct. In any event, it's probably not high priority to sanity-enforce data items that are otherwise currently being thrown away.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@slack @arschles @jackfrancis