diff options
author | Ed Tanous <edtanous@google.com> | 2022-02-08 14:24:30 +0300 |
---|---|---|
committer | Ed Tanous <ed@tanous.net> | 2023-02-17 20:01:21 +0300 |
commit | 1aa0c2b84be62a20d8c37a11ad877e0a8a48c69d (patch) | |
tree | 60a3f45204bcc8947f25db6e64cc3cd5d01f0648 /test | |
parent | 6177a301de5cefdb4a31601ec2d899f4309fc6c2 (diff) | |
download | bmcweb-1aa0c2b84be62a20d8c37a11ad877e0a8a48c69d.tar.xz |
Add option for validating content-type header
For systems implementing to the OWASP security guidelines[1] (of which all
should ideally) we should be checking the content-type header all times
that we parse a request as JSON.
This commit adds an option for parsing content-type, and sets a default
of "must get content-type". Ideally this would not be a breaking
change, but given the number of guides and scripts that omit the content
type, it seems worthwhile to add a trapdoor, such that people can opt
into their own model on how they would like to see this checking work.
Tested:
```
curl --insecure -H "Content-Type: application/json" -X POST -D headers.txt https://${bmc}/redfish/v1/SessionService/Sessions -d '{"UserName":"root", "Password":"0penBmc"}'
```
Succeeds.
Removing Content-Type argument causes bmc to return
Base.1.13.0.UnrecognizedRequestBody.
[1] cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html
Change-Id: Iaa47dd563b40036ff2fc2cacb70d941fd8853038
Signed-off-by: Ed Tanous <edtanous@google.com>
Diffstat (limited to 'test')
-rw-r--r-- | test/redfish-core/include/utils/json_utils_test.cpp | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/test/redfish-core/include/utils/json_utils_test.cpp b/test/redfish-core/include/utils/json_utils_test.cpp index 826d4375a6..b4d1062b24 100644 --- a/test/redfish-core/include/utils/json_utils_test.cpp +++ b/test/redfish-core/include/utils/json_utils_test.cpp @@ -274,7 +274,7 @@ TEST(ReadJsonPatch, ValidElementsReturnsTrueResponseOkValuesUnpackedCorrectly) crow::Request req({}, ec); // Ignore errors intentionally req.body = "{\"integer\": 1}"; - + req.req.set(boost::beast::http::field::content_type, "application/json"); int64_t integer = 0; ASSERT_TRUE(readJsonPatch(req, res, "integer", integer)); EXPECT_EQ(res.result(), boost::beast::http::status::ok); @@ -301,6 +301,7 @@ TEST(ReadJsonPatch, OdataIgnored) crow::Response res; std::error_code ec; crow::Request req({}, ec); + req.req.set(boost::beast::http::field::content_type, "application/json"); // Ignore errors intentionally req.body = R"({"@odata.etag": "etag", "integer": 1})"; @@ -330,6 +331,7 @@ TEST(ReadJsonAction, ValidElementsReturnsTrueResponseOkValuesUnpackedCorrectly) crow::Response res; std::error_code ec; crow::Request req({}, ec); + req.req.set(boost::beast::http::field::content_type, "application/json"); // Ignore errors intentionally req.body = "{\"integer\": 1}"; @@ -345,6 +347,7 @@ TEST(ReadJsonAction, EmptyObjectReturnsTrueResponseOk) crow::Response res; std::error_code ec; crow::Request req({}, ec); + req.req.set(boost::beast::http::field::content_type, "application/json"); // Ignore errors intentionally req.body = "{}"; @@ -355,4 +358,4 @@ TEST(ReadJsonAction, EmptyObjectReturnsTrueResponseOk) } } // namespace -} // namespace redfish::json_util
\ No newline at end of file +} // namespace redfish::json_util |