vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #3033 from coreos-inc/limit-json

Browse source 
Limit the size of then payload for creating robot accounts
This commit is contained in:
josephschorr 2018-03-22 14:08:03 -04:00 committed by GitHub
commit 3da8dda19e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
endpoints/api/__init__.py
View file

@ -321,6 +321,18 @@ def require_scope(scope_object):
return wrapper
def max_json_size(max_size):
def wrapper(func):
@wraps(func)
def wrapped(self, *args, **kwargs):
if request.is_json and len(request.get_data()) > max_size:
raise InvalidRequest()
return func(self, *args, **kwargs)
return wrapped
return wrapper
def validate_json_request(schema_name, optional=False):
def wrapper(func):
@add_method_metadata('request_schema', schema_name)

6
endpoints/api/robot.py
View file

@ -2,7 +2,7 @@
from endpoints.api import (resource, nickname, ApiResource, log_action, related_user_resource,
require_user_admin, require_scope, path_param, parse_args,
truthy_bool, query_param, validate_json_request)
truthy_bool, query_param, validate_json_request, max_json_size)
from endpoints.api.robot_models_pre_oci import pre_oci_model as model
from endpoints.exception import Unauthorized
from auth.permissions import AdministerOrganizationPermission, OrganizationMemberPermission
@ -28,6 +28,8 @@ CREATE_ROBOT_SCHEMA = {
},
}
ROBOT_MAX_SIZE = 1024 * 1024 # 1 KB.
def robots_list(prefix, include_permissions=False):
robots = model.list_entity_robot_permission_teams(prefix, include_permissions=include_permissions)
@ -69,6 +71,7 @@ class UserRobot(ApiResource):
@require_user_admin
@nickname('createUserRobot')
@max_json_size(ROBOT_MAX_SIZE)
@validate_json_request('CreateRobot', optional=True)
def put(self, robot_shortname):
""" Create a new user robot with the specified name. """
@ -138,6 +141,7 @@ class OrgRobot(ApiResource):
@require_scope(scopes.ORG_ADMIN)
@nickname('createOrgRobot')
@max_json_size(ROBOT_MAX_SIZE)
@validate_json_request('CreateRobot', optional=True)
def put(self, orgname, robot_shortname):
""" Create a new robot in the organization. """