Disallow POST application/json (only x-www-form-urlencoded is allowed)

pozetroninc · Dec 6, 2017 · 26c60e2 · 26c60e2
1 parent bce66be
commit 26c60e2
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -13,6 +13,8 @@ Get QR code using [HTTPie](https://httpie.org/):
     http -v --form POST http://localhost:9001 text=abracadabra --download -o qrcode.png
     http -v --form POST http://localhost:9001 base64=YWJyYWNhZGFicmE= --download -o qrcode.png
 
+Note that only `application/x-www-form-urlencoded` is allowed.
+
 ## Testing
 
 Using tox:

diff --git a/pozetron_barcode/barcode/models.py b/pozetron_barcode/barcode/models.py
@@ -9,6 +9,8 @@ class BarcodeResource:
 
     @staticmethod
     def on_post(req, resp):
+        if not req.content_type or req.content_type.split(';')[0] != 'application/x-www-form-urlencoded':
+            raise falcon.HTTPUnsupportedMediaType(description='Use application/x-www-form-urlencoded')
         # Get data (bytes) from request
         try:
             if len(req.params) != 1:

diff --git a/tests/conftest.py b/tests/conftest.py
@@ -13,6 +13,13 @@ def simulate_get_png(self, *args, **kw):
 
     def simulate_post_png(self, *args, **kw):
         self._add_file_wrapper(kw)
+        # If Content-Type is not specified explicitly, set application/x-www-form-urlencoded
+        try:
+            headers = kw['headers']
+        except KeyError:
+            headers = kw['headers'] = {}
+        if 'Content-Type' not in headers:
+            headers['Content-Type'] = 'application/x-www-form-urlencoded'
         return super().simulate_post(*args, **kw)
 
     def _add_file_wrapper(self, kw):

diff --git a/tests/test_barcode.py b/tests/test_barcode.py
@@ -20,6 +20,17 @@ def test_get_barcode(client):
     assert response.content == b''
 
 
+def test_post_barcode_invalid(client):
+    response = client.simulate_post_png('/',
+                                        body='{"text":"abracadabra"}',
+                                        headers={'Content-Type': 'application/json'})
+    assert response.status_code == 415
+    assert response.json == {
+        'title': 'Unsupported media type',
+        'description': 'Use application/x-www-form-urlencoded'
+    }
+
+
 def test_post_barcode(client, abracadabra_png):
     # No params
     response = client.simulate_post_png('/')