test/apisix
1
0
Fork 0
mirror of https://gitee.com/iresty/apisix.git synced 2024-12-04 21:17:36 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix(request-validate): handle duplicate key in JSON (#6625)

Browse Source
This commit is contained in:
罗泽轩 2022-03-16 16:05:55 +08:00 committed by GitHub
parent 95eb67ed93
commit ca2174a71f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 96 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
apisix/plugins/request-validation.lua
View File

@ -87,23 +87,32 @@ function _M.rewrite(conf, ctx)
return conf.rejected_code, conf.rejected_msg
end
local body_is_json = true
if headers["content-type"] == "application/x-www-form-urlencoded" then
-- use 0 to avoid truncated result and keep the behavior as the
-- same as other platforms
req_body, err = ngx.decode_args(body, 0)
body_is_json = false
else -- JSON as default
req_body, err = core.json.decode(body)
end
if not req_body then
core.log.error('failed to decode the req body', err)
return conf.rejected_code, conf.rejected_msg or err
core.log.error('failed to decode the req body: ', err)
return conf.rejected_code, conf.rejected_msg or err
end
local ok, err = core.schema.check(conf.body_schema, req_body)
if not ok then
core.log.error("req schema validation failed", err)
return conf.rejected_code, conf.rejected_msg or err
core.log.error("req schema validation failed: ", err)
return conf.rejected_code, conf.rejected_msg or err
end
if body_is_json then
-- ensure the JSON we check is the JSON we pass to the upstream,
-- see https://bishopfox.com/blog/json-interoperability-vulnerabilities
req_body = core.json.encode(req_body)
ngx.req.set_body_data(req_body)
end
end
end

83
t/plugin/request-validation2.t vendored Normal file
View File

@ -0,0 +1,83 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
use t::APISIX 'no_plan';
add_block_preprocessor(sub {
my ($block) = @_;
if ((!defined $block->error_log) && (!defined $block->no_error_log)) {
$block->set_value("no_error_log", "[error]");
}
if (!defined $block->request) {
$block->set_value("request", "GET /t");
}
});
run_tests();
__DATA__
=== TEST 1: json body with duplicate key
--- config
location /t {
content_by_lua_block {
local json = require("toolkit.json")
local t = require("lib.test_admin").test
local data = {
plugins = {
["request-validation"] = {
body_schema = {
type = "object",
properties = {
k = {pattern = "^good$"}
}
}
}
},
upstream = {
nodes = {
["127.0.0.1:1980"] = 1
},
type = "roundrobin"
},
uri = "/echo"
}
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
json.encode(data)
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- response_body
passed
=== TEST 2: hit
--- request
POST /echo
{"k":"bad","k":"good"}
--- response_body chomp
{"k":"good"}