Fix #3204, give 400 Bad Request when id is invalid

mozilla-services · Aug 1, 2017 · 429f512 · 429f512
1 parent a8f10c2
commit 429f512
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 26 deletions.
diff --git a/server/src/server.js b/server/src/server.js
@@ -308,7 +308,13 @@ app.param("id", function(req, res, next, id) {
     next();
     return;
   }
-  next(new Error("invalid id"));
+  let exc = new Error("invalid id")
+  exc.isAppError = true;
+  exc.output = {
+    statusCode: 400,
+    payload: "Invalid id"
+  };
+  next(exc);
 });
 
 app.param("domain", function(req, res, next, domain) {
@@ -1127,11 +1133,12 @@ require("./jobs").start();
 addRavenErrorHandler(app);
 
 app.use(function(err, req, res, next) {
-  console.log("here's the error", err, Object.keys(err));
   if (err.isAppError) {
     let { statusCode, headers, payload } = err.output;
     res.status(statusCode);
-    res.header(headers);
+    if (headers) {
+      res.header(headers);
+    }
     res.send(payload);
     return;
   }

diff --git a/test/server/clientlib.py b/test/server/clientlib.py
@@ -32,9 +32,12 @@ def login(self):
         resp.raise_for_status()
 
     def delete_account(self):
+        page = self.session.get(self.backend + "/leave-screenshots/").text
+        csrf_match = re.search(r'<input.*name="_csrf".*value="([^"]*)"', page)
+        csrf = csrf_match.group(1)
         resp = self.session.post(
             urljoin(self.backend, "/leave-screenshots/leave"),
-            json={})
+            json={"_csrf": csrf})
         resp.raise_for_status()
 
     def create_shot(self, shot_id=None, **example_args):

diff --git a/test/server/test_bodysize.py b/test/server/test_bodysize.py
diff --git a/test/server/test_responses.py b/test/server/test_responses.py
@@ -0,0 +1,39 @@
+#!../../.venv/bin/python
+
+from clientlib import ScreenshotsClient
+import random
+from requests import HTTPError
+
+# Hack to make this predictable:
+random.seed(0)
+
+
+def test_put_large_image():
+    user = ScreenshotsClient()
+    user.login()
+    try:
+        try:
+            user.create_shot(pad_image_to_length=100 * 1000 * 1000)
+        except HTTPError, e:
+            if e.response.status_code != 413:
+                raise
+    finally:
+        user.delete_account()
+
+
+def test_bad_id():
+    user = ScreenshotsClient()
+    user.login()
+    try:
+        try:
+            user.create_shot(shot_id="!!!/test.com")
+        except HTTPError, e:
+            if e.response.status_code != 400:
+                raise
+    finally:
+        user.delete_account()
+
+
+if __name__ == "__main__":
+    test_put_large_image()
+    test_bad_id()