From d8750791ec9a7c912ee722bdce233a0a69095001 Mon Sep 17 00:00:00 2001 From: Beth Skurrie Date: Thu, 7 Sep 2017 10:43:42 +1000 Subject: [PATCH] fix: enable resource identifiers to contain forward slashes This enables tag names such as 'feat/foo' to be used when escaped. To do this, the path_traversal rack protection was disabled --- lib/pact_broker/app.rb | 2 +- spec/integration/app_spec.rb | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/lib/pact_broker/app.rb b/lib/pact_broker/app.rb index 05b104866..c029f8ac2 100644 --- a/lib/pact_broker/app.rb +++ b/lib/pact_broker/app.rb @@ -78,7 +78,7 @@ def prepare_app end def configure_middleware - @app_builder.use Rack::Protection, except: [:remote_token, :session_hijacking, :http_origin] + @app_builder.use Rack::Protection, except: [:path_traversal, :remote_token, :session_hijacking, :http_origin] @app_builder.use Rack::PactBroker::InvalidUriProtection @app_builder.use Rack::PactBroker::AddPactBrokerVersionHeader @app_builder.use Rack::Static, :urls => ["/stylesheets", "/css", "/fonts", "/js", "/javascripts", "/images"], :root => PactBroker.project_root.join("public") diff --git a/spec/integration/app_spec.rb b/spec/integration/app_spec.rb index 231ddcaf1..e3bdeecea 100644 --- a/spec/integration/app_spec.rb +++ b/spec/integration/app_spec.rb @@ -187,5 +187,15 @@ module PactBroker expect(last_response.status).to eq 404 end end + + describe "when a resource identifier contains a slash" do + let(:path) { "/pacticipants/Foo/versions/1.2.3/tags/feat%2Fbar" } + + subject { put path, nil, {'CONTENT_TYPE' => 'application/json'}; last_response } + + it "returns a success status" do + expect(subject.status).to eq 201 + end + end end end