From dd804816ba086829be2e6c4ad5bba1209bac5c4b Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Mon, 5 Oct 2015 17:11:49 -0400 Subject: [PATCH] Prevent unlimited insane query from running and fix tests Fixes #591 --- endpoints/api/repository.py | 6 ++++++ endpoints/v1/index.py | 3 ++- test/test_api_security.py | 8 ++++---- test/test_api_usage.py | 6 +++--- 4 files changed, 15 insertions(+), 8 deletions(-) diff --git a/endpoints/api/repository.py b/endpoints/api/repository.py index edaef14a0..131f1c02b 100644 --- a/endpoints/api/repository.py +++ b/endpoints/api/repository.py @@ -146,6 +146,10 @@ class RepositoryList(ApiResource): starred_repos = model.repository.get_user_starred_repositories(get_authenticated_user()) star_lookup = set([repo.id for repo in starred_repos]) + # If the user asked for only public repositories, limit to only public repos. + if public and (not namespace and not starred): + username = None + # Find the matching repositories. repositories = model.repository.get_visible_repositories(username=username, limit=limit, @@ -177,6 +181,8 @@ class RepositoryList(ApiResource): def get(self, args): """ Fetch the list of repositories visible to the current user under a variety of situations. """ + if not args['namespace'] and not args['starred'] and not args['public']: + raise InvalidRequest('namespace, starred or public are required for this API call') repositories, star_lookup = self._load_repositories(args['namespace'], args['public'], args['starred'], args['limit'], diff --git a/endpoints/v1/index.py b/endpoints/v1/index.py index 9613fa892..96e119444 100644 --- a/endpoints/v1/index.py +++ b/endpoints/v1/index.py @@ -329,7 +329,8 @@ def get_search(): username = user.username results = [] - conduct_repo_search(username, query, results) + if query: + conduct_repo_search(username, query, results) data = { "query": query, diff --git a/test/test_api_security.py b/test/test_api_security.py index 4e2ee14ca..1e63b0724 100644 --- a/test/test_api_security.py +++ b/test/test_api_security.py @@ -378,16 +378,16 @@ class TestRepositoryList(ApiTestCase): self._set_url(RepositoryList) def test_get_anonymous(self): - self._run_test('GET', 200, None, None) + self._run_test('GET', 400, None, None) def test_get_freshuser(self): - self._run_test('GET', 200, 'freshuser', None) + self._run_test('GET', 400, 'freshuser', None) def test_get_reader(self): - self._run_test('GET', 200, 'reader', None) + self._run_test('GET', 400, 'reader', None) def test_get_devtable(self): - self._run_test('GET', 200, 'devtable', None) + self._run_test('GET', 400, 'devtable', None) def test_post_anonymous(self): self._run_test('POST', 400, None, {u'visibility': u'public', u'repository': 'XZGB', diff --git a/test/test_api_usage.py b/test/test_api_usage.py index 578540b45..303bee431 100644 --- a/test/test_api_usage.py +++ b/test/test_api_usage.py @@ -1331,14 +1331,14 @@ class TestListRepos(ApiTestCase): self.assertEquals(len(json['repositories']), 1) - def test_listrepos_orgmember(self): + def test_listrepos_asorgmember(self): self.login(READ_ACCESS_USER) # Queries: Base + the list query with assert_query_count(BASE_LOGGEDIN_QUERY_COUNT + 1): json = self.getJsonResponse(RepositoryList, params=dict(public=True)) - self.assertGreater(len(json['repositories']), 1) + self.assertGreater(len(json['repositories']), 0) def test_listrepos_filter(self): self.login(READ_ACCESS_USER) @@ -1353,7 +1353,7 @@ class TestListRepos(ApiTestCase): def test_listrepos_limit(self): self.login(READ_ACCESS_USER) - json = self.getJsonResponse(RepositoryList, params=dict(limit=1)) + json = self.getJsonResponse(RepositoryList, params=dict(limit=1, public=True)) self.assertEquals(len(json['repositories']), 1) def test_listrepos_allparams(self):