From de0da4b8f4b4054684e634ef9ccae11fba139eec Mon Sep 17 00:00:00 2001 From: James Myers Date: Thu, 31 Oct 2019 12:45:10 -0700 Subject: [PATCH] Validate action provided to the sign command This change also updates the CLI to uppercase the action to ensure that it is a valid action. If the action is lowercase, the signed URL is not valid. [finishes #167978647](https://www.pivotaltracker.com/story/show/167978647) Co-authored-by: Rebecca Putinski --- client/client.go | 3 ++- integration/gcs_static_test.go | 14 ++++++++++---- main.go | 15 +++++++++++++++ 3 files changed, 27 insertions(+), 5 deletions(-) diff --git a/client/client.go b/client/client.go index 3ebb0012..37fda88c 100644 --- a/client/client.go +++ b/client/client.go @@ -20,10 +20,11 @@ import ( "context" "errors" "fmt" - "golang.org/x/oauth2/google" "io" "time" + "golang.org/x/oauth2/google" + "log" "cloud.google.com/go/storage" diff --git a/integration/gcs_static_test.go b/integration/gcs_static_test.go index 1ca9290e..80354562 100644 --- a/integration/gcs_static_test.go +++ b/integration/gcs_static_test.go @@ -17,11 +17,12 @@ package integration import ( + "net/http" + "strings" + "github.com/cloudfoundry/bosh-gcscli/config" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" - "net/http" - "strings" ) var _ = Describe("Integration", func() { @@ -43,9 +44,14 @@ var _ = Describe("Integration", func() { AssertLifecycleWorks(gcsCLIPath, ctx) }) + It("validates the action is valid", func() { + session, err := RunGCSCLI(gcsCLIPath, ctx.ConfigPath, "sign", ctx.GCSFileName, "not-valid", "1h") + Expect(err).NotTo(HaveOccurred()) + Expect(session.ExitCode()).ToNot(Equal(0)) + }) + It("can generate a signed url for a given object and action", func() { - session, err := RunGCSCLI(gcsCLIPath, ctx.ConfigPath, - "sign", ctx.GCSFileName, "PUT", "1h") + session, err := RunGCSCLI(gcsCLIPath, ctx.ConfigPath, "sign", ctx.GCSFileName, "put", "1h") Expect(err).ToNot(HaveOccurred()) Expect(session.ExitCode()).To(Equal(0)) diff --git a/main.go b/main.go index 79b0455b..87bee4cc 100644 --- a/main.go +++ b/main.go @@ -20,7 +20,9 @@ import ( "flag" "fmt" "log" + "net/http" "os" + "strings" "time" "github.com/cloudfoundry/bosh-gcscli/client" @@ -180,6 +182,12 @@ func main() { id, action, expiry := nonFlagArgs[1], nonFlagArgs[2], nonFlagArgs[3] + action = strings.ToUpper(action) + err = validateAction(action) + if err != nil { + log.Fatal(err) + } + var expiryDuration time.Duration expiryDuration, err = time.ParseDuration(expiry) if err != nil { @@ -199,3 +207,10 @@ func main() { log.Fatalf("performing operation %s: %s\n", cmd, err) } } + +func validateAction(action string) error { + if action != http.MethodGet && action != http.MethodPut && action != http.MethodDelete { + return fmt.Errorf("invalid signing action: %s must be GET, PUT, or DELETE", action) + } + return nil +}