From 30d26591efcca94e9bf8756978e811e1029a7568 Mon Sep 17 00:00:00 2001
From: Ben Bangert <ben@groovie.org>
Date: Sat, 12 Mar 2016 09:30:28 -0800
Subject: [PATCH] feat: validate v0 tokens more thoroughly

Changes v0 token validation from simple check containing a : into
regex expecting valid uuid characters on either side of the : as
well.

Closes #406
---
 autopush/settings.py            |  6 +++++-
 autopush/tests/test_endpoint.py | 11 +++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/autopush/settings.py b/autopush/settings.py
index 1d06f465..1a5a8bba 100644
--- a/autopush/settings.py
+++ b/autopush/settings.py
@@ -1,5 +1,6 @@
 """Autopush Settings Object and Setup"""
 import datetime
+import re
 import socket
 
 from hashlib import sha256
@@ -40,6 +41,9 @@
 from autopush.senderids import SENDERID_EXPRY, DEFAULT_BUCKET
 
 
+VALID_V0_TOKEN = re.compile(r'[0-9A-Za-z-]{32,36}:[0-9A-Za-z-]{32,36}')
+
+
 class AutopushSettings(object):
     """Main Autopush Settings Object"""
     options = ["crypto_key", "hostname", "min_ping_interval",
@@ -293,7 +297,7 @@ def parse_endpoint(self, token, version="v0", public_key=None):
         token = self.fernet.decrypt(token.encode('utf8'))
 
         if version == 'v0':
-            if ':' not in token:
+            if not VALID_V0_TOKEN.match(token):
                 raise InvalidTokenException("Corrupted push token")
             return tuple(token.split(':'))
         if version == 'v1' and len(token) != 32:
diff --git a/autopush/tests/test_endpoint.py b/autopush/tests/test_endpoint.py
index 1f4f787a..49c9f99e 100644
--- a/autopush/tests/test_endpoint.py
+++ b/autopush/tests/test_endpoint.py
@@ -538,6 +538,17 @@ def handle_finish(value):
         self.endpoint.put(None, '')
         return self.finish_deferred
 
+    def test_put_v1_token_as_v0_token(self):
+        self.fernet_mock.decrypt.return_value = \
+            '\xcb\n<\x0c\xe6\xf3C4:\xa8\xaeO\xf5\xab\xfbb|'
+
+        def handle_finish(result):
+            self.status_mock.assert_called_with(400)
+        self.finish_deferred.addCallback(handle_finish)
+
+        self.endpoint.put(None, '')
+        return self.finish_deferred
+
     def test_put_token_invalid(self):
         self.fernet_mock.configure_mock(**{
             'decrypt.side_effect': InvalidToken})