From 429f512f64db5994d54e9213892def662fc1120c Mon Sep 17 00:00:00 2001
From: Ian Bicking <ianb@colorstudy.com>
Date: Mon, 31 Jul 2017 16:27:53 -0500
Subject: [PATCH] Fix #3204, give 400 Bad Request when id is invalid

---
 server/src/server.js          | 13 +++++++++---
 test/server/clientlib.py      |  5 ++++-
 test/server/test_bodysize.py  | 22 --------------------
 test/server/test_responses.py | 39 +++++++++++++++++++++++++++++++++++
 4 files changed, 53 insertions(+), 26 deletions(-)
 delete mode 100755 test/server/test_bodysize.py
 create mode 100755 test/server/test_responses.py

diff --git a/server/src/server.js b/server/src/server.js
index a2e1336ede..76273fa35f 100644
--- a/server/src/server.js
+++ b/server/src/server.js
@@ -308,7 +308,13 @@ app.param("id", function(req, res, next, id) {
     next();
     return;
   }
-  next(new Error("invalid id"));
+  let exc = new Error("invalid id")
+  exc.isAppError = true;
+  exc.output = {
+    statusCode: 400,
+    payload: "Invalid id"
+  };
+  next(exc);
 });
 
 app.param("domain", function(req, res, next, domain) {
@@ -1127,11 +1133,12 @@ require("./jobs").start();
 addRavenErrorHandler(app);
 
 app.use(function(err, req, res, next) {
-  console.log("here's the error", err, Object.keys(err));
   if (err.isAppError) {
     let { statusCode, headers, payload } = err.output;
     res.status(statusCode);
-    res.header(headers);
+    if (headers) {
+      res.header(headers);
+    }
     res.send(payload);
     return;
   }
diff --git a/test/server/clientlib.py b/test/server/clientlib.py
index 5fcc5d42bb..d90b2e421e 100644
--- a/test/server/clientlib.py
+++ b/test/server/clientlib.py
@@ -32,9 +32,12 @@ def login(self):
         resp.raise_for_status()
 
     def delete_account(self):
+        page = self.session.get(self.backend + "/leave-screenshots/").text
+        csrf_match = re.search(r'<input.*name="_csrf".*value="([^"]*)"', page)
+        csrf = csrf_match.group(1)
         resp = self.session.post(
             urljoin(self.backend, "/leave-screenshots/leave"),
-            json={})
+            json={"_csrf": csrf})
         resp.raise_for_status()
 
     def create_shot(self, shot_id=None, **example_args):
diff --git a/test/server/test_bodysize.py b/test/server/test_bodysize.py
deleted file mode 100755
index 7564ac0862..0000000000
--- a/test/server/test_bodysize.py
+++ /dev/null
@@ -1,22 +0,0 @@
-#!../../.venv/bin/python
-
-from clientlib import ScreenshotsClient
-import random
-from requests import HTTPError
-
-# Hack to make this predictable:
-random.seed(0)
-
-
-def test_put_large_image():
-    user = ScreenshotsClient()
-    user.login()
-    try:
-        user.create_shot(pad_image_to_length=100 * 1000 * 1000)
-    except HTTPError, e:
-        if e.response.status_code != 413:
-            raise
-
-
-if __name__ == "__main__":
-    test_put_large_image()
diff --git a/test/server/test_responses.py b/test/server/test_responses.py
new file mode 100755
index 0000000000..f1b14e52ee
--- /dev/null
+++ b/test/server/test_responses.py
@@ -0,0 +1,39 @@
+#!../../.venv/bin/python
+
+from clientlib import ScreenshotsClient
+import random
+from requests import HTTPError
+
+# Hack to make this predictable:
+random.seed(0)
+
+
+def test_put_large_image():
+    user = ScreenshotsClient()
+    user.login()
+    try:
+        try:
+            user.create_shot(pad_image_to_length=100 * 1000 * 1000)
+        except HTTPError, e:
+            if e.response.status_code != 413:
+                raise
+    finally:
+        user.delete_account()
+
+
+def test_bad_id():
+    user = ScreenshotsClient()
+    user.login()
+    try:
+        try:
+            user.create_shot(shot_id="!!!/test.com")
+        except HTTPError, e:
+            if e.response.status_code != 400:
+                raise
+    finally:
+        user.delete_account()
+
+
+if __name__ == "__main__":
+    test_put_large_image()
+    test_bad_id()