hotfix: publish: /latest: prevent empty id from clobbering mdbags

usnistgov · Jul 8, 2021 · b79a526 · b79a526
1 parent 6397340
commit b79a526
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 2 deletions.
diff --git a/python/nistoar/pdr/publish/midas3/service.py b/python/nistoar/pdr/publish/midas3/service.py
@@ -320,6 +320,9 @@ def delete(self, id):
         delete the working metadata bag for the given identifier.  Afterward, it must be recreated 
         via a call to update_ds_with_pod(id).
         """
+        if not id:
+            raise ValueError("Empty or null identifier")
+
         worker = self._bagging_workers.get(id)
         if not worker:
             bagger = self._create_bagger(id)

diff --git a/python/nistoar/pdr/publish/midas3/wsgi.py b/python/nistoar/pdr/publish/midas3/wsgi.py
@@ -436,8 +436,8 @@ def do_POST(self, path):
                 self._reqrec.add_body_text(body).record()
             return self.send_error(400, "Input not parseable as JSON")
 
-        if 'identifier' not in pod:
-            return self.send_error(400, "Input POD missing required identifier property")
+        if not pod.get('identifier'):
+            return self.send_error(400, "Input POD is missing required identifier property")
         # if 'accessLevel' not in pod:
         #    return self.send_error(400, "Input POD missing required accessLevel property")
 

diff --git a/python/tests/nistoar/pdr/publish/midas3/test_service.py b/python/tests/nistoar/pdr/publish/midas3/test_service.py
@@ -197,6 +197,13 @@ def test_delete(self):
         self.svc.update_ds_with_pod(pod, False)
         self.assertTrue(os.path.isdir(bagdir))
 
+        with self.assertRaises(ValueError):
+            self.svc.delete("")
+        self.assertTrue(os.path.isdir(bagdir))
+        with self.assertRaises(ValueError):
+            self.svc.delete(None)
+        self.assertTrue(os.path.isdir(bagdir))
+
         self.svc.delete(pod['identifier'])
         self.assertTrue(not os.path.isdir(bagdir))
 

diff --git a/python/tests/nistoar/pdr/publish/midas3/test_wsgi_latest.py b/python/tests/nistoar/pdr/publish/midas3/test_wsgi_latest.py
@@ -130,6 +130,47 @@ def test_do_private_POST(self):
         self.assertTrue(not os.path.isfile(os.path.join(self.bagparent,"nrdserv",
                                                         self.midasid+".json")))
 
+    def test_block_private_clobber(self):
+        # first do a normal POST to create a submission
+        req = {
+            'REQUEST_METHOD': "POST",
+            'CONTENT_TYPE': 'application/json',
+            'PATH_INFO': '/pdr/latest',
+            'HTTP_AUTHORIZATION': 'Bearer secret'
+        }
+        self.hdlr = self.gethandler('', req)
+
+        pod = None
+        with open(self.podf) as fd:
+            pod = json.load(fd)
+        req['wsgi.input'] = StringIO(json.dumps(pod))
+        body = self.hdlr.handle()
+
+        self.assertIn("201", self.resp[0])
+        self.assertEquals(body, [])
+
+        bagdir = os.path.join(self.bagparent,"mdbags",self.midasid)
+        self.assertTrue(os.path.isdir(bagdir))
+        self.svc.wait_for_all_workers(300)
+
+        # now try to clobber it
+        self.resp = []
+        req = {
+            'REQUEST_METHOD': "POST",
+            'CONTENT_TYPE': 'application/json',
+            'PATH_INFO': '/pdr/latest',
+            'HTTP_AUTHORIZATION': 'Bearer secret'
+        }
+        self.hdlr = self.gethandler('', req)
+
+        pod['identifier'] = ""
+        pod['accessLevel'] = "non-public"
+        req['wsgi.input'] = StringIO(json.dumps(pod))
+        body = self.hdlr.handle()
+        self.assertIn("400", self.resp[0])
+        self.assertTrue(os.path.isdir(bagdir))
+
+
     def test_do_unauthorized_POST(self):
         req = {
             'REQUEST_METHOD': "POST",