From 6d365418b75aa89299f331bccc4b407feb9a7b8e Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Thu, 22 Mar 2018 13:54:56 -0400 Subject: [PATCH] Limit the size of then payload for creating robot accounts --- endpoints/api/__init__.py | 12 ++++++++++++ endpoints/api/robot.py | 6 +++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/endpoints/api/__init__.py b/endpoints/api/__init__.py index b9c501b2c..e6162c02e 100644 --- a/endpoints/api/__init__.py +++ b/endpoints/api/__init__.py @@ -321,6 +321,18 @@ def require_scope(scope_object): return wrapper +def max_json_size(max_size): + def wrapper(func): + @wraps(func) + def wrapped(self, *args, **kwargs): + if request.is_json and len(request.get_data()) > max_size: + raise InvalidRequest() + + return func(self, *args, **kwargs) + return wrapped + return wrapper + + def validate_json_request(schema_name, optional=False): def wrapper(func): @add_method_metadata('request_schema', schema_name) diff --git a/endpoints/api/robot.py b/endpoints/api/robot.py index e815498ce..757893783 100644 --- a/endpoints/api/robot.py +++ b/endpoints/api/robot.py @@ -2,7 +2,7 @@ from endpoints.api import (resource, nickname, ApiResource, log_action, related_user_resource, require_user_admin, require_scope, path_param, parse_args, - truthy_bool, query_param, validate_json_request) + truthy_bool, query_param, validate_json_request, max_json_size) from endpoints.api.robot_models_pre_oci import pre_oci_model as model from endpoints.exception import Unauthorized from auth.permissions import AdministerOrganizationPermission, OrganizationMemberPermission @@ -28,6 +28,8 @@ CREATE_ROBOT_SCHEMA = { }, } +ROBOT_MAX_SIZE = 1024 * 1024 # 1 KB. + def robots_list(prefix, include_permissions=False): robots = model.list_entity_robot_permission_teams(prefix, include_permissions=include_permissions) @@ -69,6 +71,7 @@ class UserRobot(ApiResource): @require_user_admin @nickname('createUserRobot') + @max_json_size(ROBOT_MAX_SIZE) @validate_json_request('CreateRobot', optional=True) def put(self, robot_shortname): """ Create a new user robot with the specified name. """ @@ -138,6 +141,7 @@ class OrgRobot(ApiResource): @require_scope(scopes.ORG_ADMIN) @nickname('createOrgRobot') + @max_json_size(ROBOT_MAX_SIZE) @validate_json_request('CreateRobot', optional=True) def put(self, orgname, robot_shortname): """ Create a new robot in the organization. """