-
Notifications
You must be signed in to change notification settings - Fork 704
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use chatId from URL rather than from payload for chats (#700)
### Motivation and Context The verify access to a chat, we use HandleRequest() with the chatId provided. Currently, we get this from the payload, which can differ from the chatId from the URL, which opens us to a security problem where a user could inject an arbitrary chatId in the payload, which doesn't match what's in the URL. ### Description - Use chatId from URL and only from URL - Add integrations test to validate this ### Contribution Checklist - [ ] The code builds clean without any errors or warnings - [ ] The PR follows the [Contribution Guidelines](https://github.com/microsoft/chat-copilot/blob/main/CONTRIBUTING.md) and the [pre-submission formatting script](https://github.com/microsoft/chat-copilot/blob/main/CONTRIBUTING.md#development-scripts) raises no violations - [ ] All unit tests pass, and I have added new tests where possible - [ ] I didn't break anyone 😄
- Loading branch information
Showing
5 changed files
with
72 additions
and
53 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
// Copyright (c) Microsoft. All rights reserved. | ||
|
||
using System.Collections.Generic; | ||
using System.Net.Http; | ||
using System.Net.Http.Json; | ||
using System.Text.Json; | ||
using CopilotChat.WebApi.Models.Request; | ||
using CopilotChat.WebApi.Models.Response; | ||
using Xunit; | ||
using static CopilotChat.WebApi.Models.Storage.CopilotChatMessage; | ||
|
||
namespace ChatCopilotIntegrationTests; | ||
|
||
public class ChatTests : ChatCopilotIntegrationTest | ||
{ | ||
[Fact] | ||
public async void ChatMessagePostSucceedsWithValidInput() | ||
{ | ||
await this.SetUpAuth(); | ||
|
||
// Create chat session | ||
var createChatParams = new CreateChatParameters() { Title = nameof(ChatMessagePostSucceedsWithValidInput) }; | ||
HttpResponseMessage response = await this._httpClient.PostAsJsonAsync("chats", createChatParams); | ||
response.EnsureSuccessStatusCode(); | ||
|
||
var contentStream = await response.Content.ReadAsStreamAsync(); | ||
var createChatResponse = await JsonSerializer.DeserializeAsync<CreateChatResponse>(contentStream, new JsonSerializerOptions { PropertyNameCaseInsensitive = true }); | ||
Assert.NotNull(createChatResponse); | ||
|
||
// Ask something to the bot | ||
var ask = new Ask | ||
{ | ||
Input = "Who is Satya Nadella?", | ||
Variables = new KeyValuePair<string, string>[] { new("MessageType", ChatMessageType.Message.ToString()) } | ||
}; | ||
response = await this._httpClient.PostAsJsonAsync($"chats/{createChatResponse.ChatSession.Id}/messages", ask); | ||
response.EnsureSuccessStatusCode(); | ||
|
||
contentStream = await response.Content.ReadAsStreamAsync(); | ||
var askResult = await JsonSerializer.DeserializeAsync<AskResult>(contentStream, new JsonSerializerOptions { PropertyNameCaseInsensitive = true }); | ||
Assert.NotNull(askResult); | ||
Assert.False(string.IsNullOrEmpty(askResult.Value)); | ||
|
||
|
||
// Clean up | ||
response = await this._httpClient.DeleteAsync($"chats/{createChatResponse.ChatSession.Id}"); | ||
response.EnsureSuccessStatusCode(); | ||
} | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.