Add new decorator to prevent reflected text attacks

Instead of disabling repo names with periods in them, we simply disallow calls to the API when they are GET requests, whose path ends in a dot, and that do not have a referrer from the frontend.
2018-01-29 14:52:50 -05:00 · 2018-01-29 14:52:50 -05:00 · 188ea98441
commit 188ea98441
parent b342111edb
8 changed files with 82 additions and 12 deletions
--- a/endpoints/test/test_decorators.py
+++ b/endpoints/test/test_decorators.py
@ -0,0 +1,35 @@
+from data import model
+from endpoints.api import api
+from endpoints.api.repository import Repository
+from endpoints.test.shared import conduct_call
+from test.fixtures import *
+
+
+@pytest.mark.parametrize('user_agent, include_header, expected_code', [
+  ('curl/whatever', True, 200),
+  ('curl/whatever', False, 200),
+
+  ('Mozilla/whatever', True, 200),
+  ('Mozilla/5.0', True, 200),
+  ('Mozilla/5.0 (Windows NT 5.1; Win64; x64)', False, 400),
+])
+def test_require_xhr_from_browser(user_agent, include_header, expected_code, app, client):
+  # Create a public repo with a dot in its name.
+  user = model.user.get_user('devtable')
+  model.repository.create_repository('devtable', 'somerepo.bat', user, 'public')
+
+  # Retrieve the repository and ensure we either allow it through or fail, depending on the
+  # user agent and header.
+  params = {
+    'repository': 'devtable/somerepo.bat'
+  }
+
+  headers = {
+    'User-Agent': user_agent,
+  }
+
+  if include_header:
+    headers['X-Requested-With'] = 'XMLHttpRequest'
+
+  conduct_call(client, Repository, api.url_for, 'GET', params, headers=headers,
+               expected_code=expected_code)