Add new decorator to prevent reflected text attacks
Instead of disabling repo names with periods in them, we simply disallow calls to the API when they are GET requests, whose path ends in a dot, and that do not have a referrer from the frontend.
This commit is contained in:
Joseph Schorr
parent
b342111edb
commit
188ea98441
8 changed files with 82 additions and 12 deletions
|
|
@ -786,14 +786,11 @@ class V2RegistryLoginMixin(object):
|
|||
|
||||
class RegistryTestsMixin(object):
|
||||
def test_previously_bad_repo_name(self):
|
||||
bad_names = ['logs', 'build', 'tokens', 'foo.bar', 'foo-bar', 'foo_bar']
|
||||
# Push a new repository with two layers.
|
||||
self.do_push('public', 'foo.bar', 'public', 'password')
|
||||
|
||||
for name in bad_names:
|
||||
# Push a new repository with two layers.
|
||||
self.do_push('public', name, 'public', 'password')
|
||||
|
||||
# Pull the repository to verify.
|
||||
self.do_pull('public', name, 'public', 'password')
|
||||
# Pull the repository to verify.
|
||||
self.do_pull('public', 'foo.bar', 'public', 'password')
|
||||
|
||||
def test_application_repo(self):
|
||||
# Create an application repository via the API.
|
||||
|
|
|
|||
Reference in a new issue