Reject non json formats

philippthun · philippthun · commit 5c5d1b25febd · 2023-03-27T13:25:40.000+02:00
diff --git a/app/controllers/v3/application_controller.rb b/app/controllers/v3/application_controller.rb
@@ -68,6 +68,8 @@ class ApplicationController < ActionController::Base
   before_action :check_write_permissions!, if: :enforce_write_scope?
   before_action :hashify_params
   before_action :null_coalesce_body
+  before_action :validate_content_type!
+  before_action :validate_request_format!
 
   rescue_from CloudController::Blobstore::BlobstoreError, with: :handle_blobstore_error
   rescue_from CloudController::Errors::NotAuthenticated, with: :handle_not_authenticated
@@ -223,6 +225,19 @@ def null_coalesce_body
     hashed_params[:body] ||= {}
   end
 
+  def validate_content_type!
+    return if request.content_type.nil? || Mime::Type.lookup(request.content_type) == :json
+
+    logger.error("Invalid content-type: #{request.content_type}")
+    bad_request!('Invalid Content-Type')
+  end
+
+  def validate_request_format!
+    return if !hashed_params.include?(:format) || hashed_params[:format] == 'json'
+
+    bad_request!('Invalid format requested')
+  end
+
   def membership
     @membership ||= Membership.new(current_user)
   end
diff --git a/app/controllers/v3/packages_controller.rb b/app/controllers/v3/packages_controller.rb
@@ -204,6 +204,19 @@ def send_package_blob(package)
     BlobDispatcher.new(blobstore: package_blobstore, controller: self).send_or_redirect(guid: package.guid)
   end
 
+  def validate_content_type!
+    return if Mime::Type.lookup(request.content_type) == :url_encoded_form
+
+    logger.error("Invalid content-type: #{request.content_type}")
+    bad_request!('Invalid Content-Type')
+  end
+
+  def validate_request_format!
+    return unless hashed_params.include?(:format)
+
+    bad_request!('Invalid format requested')
+  end
+
   def unprocessable_non_bits_package!
     unprocessable!('Cannot create Docker package for a buildpack app.')
   end
diff --git a/app/controllers/v3/space_manifests_controller.rb b/app/controllers/v3/space_manifests_controller.rb
@@ -8,8 +8,6 @@
 class SpaceManifestsController < ApplicationController
   wrap_parameters :body, format: [:yaml]
 
-  before_action :validate_content_type!
-
   def apply_manifest
     space = Space.find(guid: hashed_params[:guid])
     space_not_found! unless space && permission_queryer.can_read_from_space?(space.id, space.organization_id)
@@ -86,14 +84,16 @@ def compound_error!(error_messages)
   end
 
   def validate_content_type!
-    if !request_content_type_is_yaml?
-      logger.error("Content-type isn't yaml: #{request.content_type}")
-      bad_request!('Content-Type must be yaml')
-    end
+    return if Mime::Type.lookup(request.content_type) == :yaml
+
+    logger.error("Invalid content-type: #{request.content_type}")
+    bad_request!('Invalid Content-Type')
   end
 
-  def request_content_type_is_yaml?
-    Mime::Type.lookup(request.content_type) == :yaml
+  def validate_request_format!
+    return unless hashed_params.include?(:format)
+
+    bad_request!('Invalid format requested')
   end
 
   def check_version_is_supported!
