added device ID validation in stat url (#175)

* added device ID validation in stat url * prep for release
xmidt-org · May 5, 2022 · 0dda22b · 0dda22b
1 parent 22b9316
commit 0dda22b
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## [v0.6.5]
+- Added validation of device ID in url for stat endpoint. [#175](https://github.com/xmidt-org/scytale/pull/175)
+
 ## [v0.6.4]
 - Fixed stat fanout to not try to hit send endpoint. [#174](https://github.com/xmidt-org/scytale/pull/174)
 
@@ -109,7 +112,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Initial creation.
 
 
-[Unreleased]: https://github.com/xmidt-org/scytale/compare/v0.6.4...HEAD
+[Unreleased]: https://github.com/xmidt-org/scytale/compare/v0.6.5...HEAD
+[v0.6.5]: https://github.com/xmidt-org/scytale/compare/v0.6.4...v0.6.5
 [v0.6.4]: https://github.com/xmidt-org/scytale/compare/v0.6.3...v0.6.4
 [v0.6.3]: https://github.com/xmidt-org/scytale/compare/v0.6.2...v0.6.3
 [v0.6.2]: https://github.com/xmidt-org/scytale/compare/v0.6.1...v0.6.2

diff --git a/primaryHandler.go b/primaryHandler.go
@@ -64,6 +64,8 @@ const (
 	basicAuthConfigKey = "authHeader"
 	jwtAuthConfigKey   = "jwtValidator"
 	wrpCheckConfigKey  = "WRPCheck"
+
+	deviceID = "deviceID"
 )
 
 var errNoDeviceName = errors.New("no device name")
@@ -391,15 +393,15 @@ func NewPrimaryHandler(logger log.Logger, v *viper.Viper, registry xmetrics.Regi
 		Handler(authChain.Then(sendWRPHandler))
 
 	router.Handle(
-		fmt.Sprintf("%s/device/{deviceID}/stat", urlPrefix),
-		authChain.Extend(fanoutChain).Then(
+		fmt.Sprintf("%s/device/{%s}/stat", urlPrefix, deviceID),
+		authChain.Extend(fanoutChain.Extend(validateDeviceID())).Then(
 			fanout.New(
 				endpoints,
 				append(
 					options,
 					fanout.WithFanoutBefore(
 						// required for petasos
-						fanout.ForwardVariableAsHeader("deviceID", "X-Webpa-Device-Name"),
+						fanout.ForwardVariableAsHeader(deviceID, "X-Webpa-Device-Name"),
 						// required for consul fanout
 						func(ctx context.Context, original, fanout *http.Request, body []byte) (context.Context, error) {
 							// strip the initial path and provide the configured one instead.
@@ -422,3 +424,26 @@ func NewPrimaryHandler(logger log.Logger, v *viper.Viper, registry xmetrics.Regi
 
 	return router, nil
 }
+
+// validateDeviceID checks the device ID in the URL to make sure it is good before fanout.
+func validateDeviceID() alice.Chain {
+	return alice.New(func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			vars := mux.Vars(r)
+			_, err := device.ParseID(vars[deviceID])
+			if err != nil {
+				w.Header().Set("Content-Type", "application/json")
+				w.WriteHeader(http.StatusBadRequest)
+
+				fmt.Fprintf(
+					w,
+					`{"code": %d, "message": "%s"}`,
+					http.StatusBadRequest,
+					fmt.Sprintf("failed to extract device ID: %s", err),
+				)
+				return
+			}
+			next.ServeHTTP(w, r)
+		})
+	})
+}