diff --git a/CHANGES_NEXT_RELEASE b/CHANGES_NEXT_RELEASE index 1f5b13440a..8ba25f16c7 100644 --- a/CHANGES_NEXT_RELEASE +++ b/CHANGES_NEXT_RELEASE @@ -16,3 +16,5 @@ - Add: type param for POST entity in v2 (Issue #982, #984) - Add: support for geo:point type as a way of specifying location attribute in NGSIv2 (Issue #1038) - Add: type param for PUT entity in v2 (Issue #988, #992, #1000) +- Fix: not detecting forbidden chars in entityID for PATCH v2 (Issue #1782) + diff --git a/src/lib/serviceRoutinesV2/patchEntity.cpp b/src/lib/serviceRoutinesV2/patchEntity.cpp index 60b78f662b..8836879b02 100644 --- a/src/lib/serviceRoutinesV2/patchEntity.cpp +++ b/src/lib/serviceRoutinesV2/patchEntity.cpp @@ -28,7 +28,7 @@ #include "common/statistics.h" #include "common/clockFunctions.h" #include "common/errorMessages.h" - +#include "parse/forbiddenChars.h" #include "rest/ConnectionInfo.h" #include "ngsi/ParseData.h" #include "apiTypesV2/Entities.h" @@ -71,6 +71,12 @@ std::string patchEntity eP->id = compV[2]; eP->type = ciP->uriParam["type"]; + if (forbiddenIdChars(ciP->apiVersion, eP->id.c_str() , NULL)) + { + OrionError oe(SccBadRequest, "invalid character in URI"); + return oe.render(ciP, ""); + } + // 01. Fill in UpdateContextRequest parseDataP->upcr.res.fill(eP, "UPDATE"); diff --git a/test/functionalTest/cases/1782_forbidden_char_id_uri_patch/1782_forbidden_char_id_uri_patch.test b/test/functionalTest/cases/1782_forbidden_char_id_uri_patch/1782_forbidden_char_id_uri_patch.test new file mode 100644 index 0000000000..ba9f489e63 --- /dev/null +++ b/test/functionalTest/cases/1782_forbidden_char_id_uri_patch/1782_forbidden_char_id_uri_patch.test @@ -0,0 +1,60 @@ +# Copyright 2016 Telefonica Investigacion y Desarrollo, S.A.U +# +# This file is part of Orion Context Broker. +# +# Orion Context Broker is free software: you can redistribute it and/or +# modify it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# Orion Context Broker is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero +# General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with Orion Context Broker. If not, see http://www.gnu.org/licenses/. +# +# For those usages not covered by this license please contact with +# iot_support at tid dot es + +# VALGRIND_READY - to mark the test ready for valgrindTestSuite.sh + +--NAME-- +PATCH /v2/entities/E& forbidden chars in ID + +--SHELL-INIT-- +dbInit CB +brokerStart CB + +--SHELL-- + +# +# 01. PATCH entity with forbidden char in ID +# + +echo "01. PATCH entity with forbidden char in ID" +echo "==========================================" +payload='{ "attr1": 1 }' +orionCurl --url '/v2/entities/E&?options=keyValues' -X PATCH --payload "$payload" --json +echo +echo + + +--REGEXPECT-- +01. PATCH entity with forbidden char in ID +========================================== +HTTP/1.1 400 Bad Request +Content-Length: 63 +Content-Type: application/json +Date: REGEX(.*) + +{ + "description": "invalid character in URI", + "error": "BadRequest" +} + + +--TEARDOWN-- +brokerStop CB +dbDrop CB