Validate the Content-Type on PUT requests

Return a 415 (https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/415) when the Content-Type does not look like a valid MIME type (in the type/subtype format) Refs #137
5apps · Apr 15, 2020 · 71d1388 · 71d1388
1 parent ab673f1
commit 71d1388
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 0 deletions.
diff --git a/lib/remote_storage/rest_provider.rb b/lib/remote_storage/rest_provider.rb
@@ -506,5 +506,10 @@ def get_directory_listing_from_redis_via_lua(user, directory)
       items
     end
 
+    def validate_content_type(content_type)
+      # Do not try to perform the PUT request when the Content-Type does not
+      # look like a MIME type
+      server.halt 415 unless content_type.match(/^.+\/.+/i)
+    end
   end
 end
diff --git a/lib/remote_storage/s3.rb b/lib/remote_storage/s3.rb
@@ -16,6 +16,8 @@ def format_etag(etag)
     end
 
     def do_put_request(url, data, content_type)
+      validate_content_type(content_type)
+
       deal_with_unauthorized_requests do
         md5 = Digest::MD5.base64digest(data)
         authorization_headers = authorization_headers_for(

diff --git a/spec/shared_examples.rb b/spec/shared_examples.rb
@@ -232,6 +232,16 @@ def storage_class
           _(last_response.body).must_equal "Precondition Failed"
         end
       end
+
+      describe "Content-Type" do
+        it "must be in the type/subtype format" do
+          header "Content-Type", "text"
+
+          put "/phil/food/invalid_content_type", "invalid"
+
+          _(last_response.status).must_equal 415
+        end
+      end
     end
 
   end