Merge pull request #598 from coreos-inc/limitbadquery

Prevent unlimited insane query from running and fix tests
2015-10-05 21:29:35 -04:00 · 2015-10-05 21:29:35 -04:00 · 3e7a95407b
commit 3e7a95407b
parent c6da322ec1 dd804816ba
4 changed files with 15 additions and 8 deletions
--- a/endpoints/api/repository.py
+++ b/endpoints/api/repository.py
@ -146,6 +146,10 @@ class RepositoryList(ApiResource):
      starred_repos = model.repository.get_user_starred_repositories(get_authenticated_user())
      star_lookup = set([repo.id for repo in starred_repos])

+    # If the user asked for only public repositories, limit to only public repos.
+    if public and (not namespace and not starred):
+      username = None
+
    # Find the matching repositories.
    repositories = model.repository.get_visible_repositories(username=username,
                                                             limit=limit,
@ -177,6 +181,8 @@ class RepositoryList(ApiResource):
  def get(self, args):
    """ Fetch the list of repositories visible to the current user under a variety of situations.
    """
+    if not args['namespace'] and not args['starred'] and not args['public']:
+      raise InvalidRequest('namespace, starred or public are required for this API call')

    repositories, star_lookup = self._load_repositories(args['namespace'], args['public'],
                                                        args['starred'], args['limit'],
--- a/endpoints/v1/index.py
+++ b/endpoints/v1/index.py
@ -329,7 +329,8 @@ def get_search():
    username = user.username

  results = []
-  conduct_repo_search(username, query, results)
+  if query:
+    conduct_repo_search(username, query, results)

  data = {
    "query": query,
--- a/test/test_api_security.py
+++ b/test/test_api_security.py
@ -378,16 +378,16 @@ class TestRepositoryList(ApiTestCase):
    self._set_url(RepositoryList)

  def test_get_anonymous(self):
-    self._run_test('GET', 200, None, None)
+    self._run_test('GET', 400, None, None)

  def test_get_freshuser(self):
-    self._run_test('GET', 200, 'freshuser', None)
+    self._run_test('GET', 400, 'freshuser', None)

  def test_get_reader(self):
-    self._run_test('GET', 200, 'reader', None)
+    self._run_test('GET', 400, 'reader', None)

  def test_get_devtable(self):
-    self._run_test('GET', 200, 'devtable', None)
+    self._run_test('GET', 400, 'devtable', None)

  def test_post_anonymous(self):
    self._run_test('POST', 400, None, {u'visibility': u'public', u'repository': 'XZGB',
--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@ -1331,14 +1331,14 @@ class TestListRepos(ApiTestCase):

    self.assertEquals(len(json['repositories']), 1)

-  def test_listrepos_orgmember(self):
+  def test_listrepos_asorgmember(self):
    self.login(READ_ACCESS_USER)

    # Queries: Base + the list query
    with assert_query_count(BASE_LOGGEDIN_QUERY_COUNT + 1):
      json = self.getJsonResponse(RepositoryList, params=dict(public=True))

-    self.assertGreater(len(json['repositories']), 1)
+    self.assertGreater(len(json['repositories']), 0)

  def test_listrepos_filter(self):
    self.login(READ_ACCESS_USER)
@ -1353,7 +1353,7 @@ class TestListRepos(ApiTestCase):

  def test_listrepos_limit(self):
    self.login(READ_ACCESS_USER)
-    json = self.getJsonResponse(RepositoryList, params=dict(limit=1))
+    json = self.getJsonResponse(RepositoryList, params=dict(limit=1, public=True))
    self.assertEquals(len(json['repositories']), 1)

  def test_listrepos_allparams(self):