feat: validate v0 tokens more thoroughly

Changes v0 token validation from simple check containing a : into regex expecting valid uuid characters on either side of the : as well. Closes #406
mozilla-services · Mar 15, 2016 · 30d2659 · 30d2659
1 parent 9e428e2
commit 30d2659
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/autopush/settings.py b/autopush/settings.py
@@ -1,5 +1,6 @@
 """Autopush Settings Object and Setup"""
 import datetime
+import re
 import socket
 
 from hashlib import sha256
@@ -40,6 +41,9 @@
 from autopush.senderids import SENDERID_EXPRY, DEFAULT_BUCKET
 
 
+VALID_V0_TOKEN = re.compile(r'[0-9A-Za-z-]{32,36}:[0-9A-Za-z-]{32,36}')
+
+
 class AutopushSettings(object):
     """Main Autopush Settings Object"""
     options = ["crypto_key", "hostname", "min_ping_interval",
@@ -293,7 +297,7 @@ def parse_endpoint(self, token, version="v0", public_key=None):
         token = self.fernet.decrypt(token.encode('utf8'))
 
         if version == 'v0':
-            if ':' not in token:
+            if not VALID_V0_TOKEN.match(token):
                 raise InvalidTokenException("Corrupted push token")
             return tuple(token.split(':'))
         if version == 'v1' and len(token) != 32:

diff --git a/autopush/tests/test_endpoint.py b/autopush/tests/test_endpoint.py
@@ -538,6 +538,17 @@ def handle_finish(value):
         self.endpoint.put(None, '')
         return self.finish_deferred
 
+    def test_put_v1_token_as_v0_token(self):
+        self.fernet_mock.decrypt.return_value = \
+            '\xcb\n<\x0c\xe6\xf3C4:\xa8\xaeO\xf5\xab\xfbb|'
+
+        def handle_finish(result):
+            self.status_mock.assert_called_with(400)
+        self.finish_deferred.addCallback(handle_finish)
+
+        self.endpoint.put(None, '')
+        return self.finish_deferred
+
     def test_put_token_invalid(self):
         self.fernet_mock.configure_mock(**{
             'decrypt.side_effect': InvalidToken})