Forbidding REST clients to set the node or IP

This is done for security reasons - if a client is unauthenticated, we don't want them to be able to just configure their own authentication information. Signed-off-by: Luke Kanies <luke@madstop.com>
author: Luke Kanies <luke@madstop.com> 2009-03-20 00:25:16 -0500
committer: James Turnbull <james@lovedthanlost.net> 2009-03-20 18:27:08 +1100
commit: 77ade43dec5e6fc5afac7abe4b331a3bc7887e42 (patch)
tree: 076af8725dce5aebd3947e6a831d707c690cce9e /spec/unit/network
parent: 0179e945a7d402c90a333c8207243882af362e06 (diff)
download: puppet-77ade43dec5e6fc5afac7abe4b331a3bc7887e42.tar.gz
puppet-77ade43dec5e6fc5afac7abe4b331a3bc7887e42.tar.xz
puppet-77ade43dec5e6fc5afac7abe4b331a3bc7887e42.zip
2 files changed, 20 insertions, 0 deletions
diff --git a/spec/unit/network/http/mongrel/rest.rb b/spec/unit/network/http/mongrel/rest.rb
index 84a7e7f64..1926a6e45 100755
--- a/spec/unit/network/http/mongrel/rest.rb
+++ b/spec/unit/network/http/mongrel/rest.rb
@@ -137,6 +137,16 @@ describe "Puppet::Network::HTTP::MongrelREST" do
                 result[:foo].should == %w{one two}
             end
 
+            it "should not allow the client to set the node via the query string" do
+                @request.stubs(:params).returns('QUERY_STRING' => "node=foo")
+                @handler.params(@request)[:node].should be_nil
+            end
+
+            it "should not allow the client to set the IP address via the query string" do
+                @request.stubs(:params).returns('QUERY_STRING' => "ip=foo")
+                @handler.params(@request)[:ip].should be_nil
+            end
+
             it "should pass the client's ip address to model find" do
                 @request.stubs(:params).returns("REMOTE_ADDR" => "ipaddress")
                 @handler.params(@request)[:ip].should == "ipaddress"
diff --git a/spec/unit/network/http/webrick/rest.rb b/spec/unit/network/http/webrick/rest.rb
index bb0918131..7600cff2c 100755
--- a/spec/unit/network/http/webrick/rest.rb
+++ b/spec/unit/network/http/webrick/rest.rb
@@ -106,6 +106,16 @@ describe Puppet::Network::HTTP::WEBrickREST do
                 result[:foo].should == %w{one two}
             end
 
+            it "should not allow clients to set the node via the request parameters" do
+                @request.stubs(:query).returns("node" => "foo")
+                @handler.params(@request)[:node].should be_nil
+            end
+
+            it "should not allow clients to set the IP via the request parameters" do
+                @request.stubs(:query).returns("ip" => "foo")
+                @handler.params(@request)[:ip].should_not == "foo"
+            end
+
             it "should pass the client's ip address to model find" do
                 @request.stubs(:peeraddr).returns(%w{noidea dunno hostname ipaddress})
                 @handler.params(@request)[:ip].should == "ipaddress"
author	Luke Kanies <luke@madstop.com>	2009-03-20 00:25:16 -0500
committer	James Turnbull <james@lovedthanlost.net>	2009-03-20 18:27:08 +1100
commit	77ade43dec5e6fc5afac7abe4b331a3bc7887e42 (patch)
tree	076af8725dce5aebd3947e6a831d707c690cce9e /spec/unit/network
parent	0179e945a7d402c90a333c8207243882af362e06 (diff)
download	puppet-77ade43dec5e6fc5afac7abe4b331a3bc7887e42.tar.gz puppet-77ade43dec5e6fc5afac7abe4b331a3bc7887e42.tar.xz puppet-77ade43dec5e6fc5afac7abe4b331a3bc7887e42.zip