From d48d487de03a78d7aed666108a85c6d94aacccce Mon Sep 17 00:00:00 2001 From: Scott Schneider Date: Fri, 20 Mar 2015 11:16:13 -0700 Subject: [PATCH] Validate data payload before operating on it --- lib/vmpooler/api/v1.rb | 43 ++++++++++++++++++++++++++++-------------- 1 file changed, 29 insertions(+), 14 deletions(-) diff --git a/lib/vmpooler/api/v1.rb b/lib/vmpooler/api/v1.rb index c8e7d37..e54979d 100644 --- a/lib/vmpooler/api/v1.rb +++ b/lib/vmpooler/api/v1.rb @@ -494,6 +494,8 @@ module Vmpooler put "#{api_prefix}/vm/:hostname/?" do content_type :json + failure = false + result = {} status 404 @@ -504,28 +506,41 @@ module Vmpooler if $redis.exists('vmpooler__vm__' + params[:hostname]) jdata = JSON.parse(request.body.read) + # Validate data payload jdata.each do |param, arg| case param when 'lifetime' - arg = arg.to_i - - if arg > 0 - $redis.hset('vmpooler__vm__' + params[:hostname], param, arg) - - status 200 - result['ok'] = true + unless arg.to_i > 0 + failure = true end when 'tags' - if arg.is_a?(Hash) - arg.keys.each do |tag| - $redis.hset('vmpooler__vm__' + params[:hostname], 'tag:' + tag, arg[tag]) - end - - status 200 - result['ok'] = true + unless arg.is_a?(Hash) + failure = true end + else + failure = true end end + + if failure + status 400 + else + jdata.each do |param, arg| + case param + when 'lifetime' + arg = arg.to_i + + $redis.hset('vmpooler__vm__' + params[:hostname], param, arg) + when 'tags' + arg.keys.each do |tag| + $redis.hset('vmpooler__vm__' + params[:hostname], 'tag:' + tag, arg[tag]) + end + end + end + + status 200 + result['ok'] = true + end end JSON.pretty_generate(result)