Commit 48d8c12

author

Bart Koelman

committed

Added input validation for version in URL and request body

1 parent 8c3b097 commit 48d8c12Copy full SHA for 48d8c12

File tree

14 files changed

+1917

-4

lines changed

src/JsonApiDotNetCore
- Middleware
  - JsonApiMiddleware.cs
- Serialization/Request/Adapters
test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency

14 files changed

+1917

-4

lines changed

`‎src/JsonApiDotNetCore/Middleware/JsonApiMiddleware.cs`

Lines changed: 35 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,11 @@ public async Task InvokeAsync(HttpContext httpContext, IControllerResourceMappin`
`67`	`67`
`68`	`68`	`SetupResourceRequest((JsonApiRequest)request, primaryResourceType, routeValues, httpContext.Request);`
`69`	`69`
	`70`	`+ if (!await ValidateVersionAsync(request, httpContext, options.SerializerWriteOptions))`
	`71`	`+ {`
	`72`	`+ return;`
	`73`	`+ }`
	`74`	`+`
`70`	`75`	`httpContext.RegisterJsonApiRequest();`
`71`	`76`	`}`
`72`	`77`	`else if (IsRouteForOperations(routeValues))`
`@@ -206,6 +211,36 @@ private static async Task<bool> ValidateAcceptHeaderAsync(MediaTypeHeaderValue a`
`206`	`211`	`return true;`
`207`	`212`	`}`
`208`	`213`
	`214`	`+ private static async Task<bool> ValidateVersionAsync(IJsonApiRequest request, HttpContext httpContext, JsonSerializerOptions serializerOptions)`
	`215`	`+ {`
	`216`	`+ if (!request.IsReadOnly)`
	`217`	`+ {`
	`218`	`+ if (request.PrimaryResourceType!.IsVersioned && request.WriteOperation != WriteOperationKind.CreateResource && request.PrimaryVersion == null)`
	`219`	`+ {`
	`220`	`+ await FlushResponseAsync(httpContext.Response, serializerOptions, new ErrorObject(HttpStatusCode.BadRequest)`
	`221`	`+ {`
	`222`	`+ Title = "The 'version' parameter is required at this endpoint.",`
	`223`	`+ Detail = $"Resources of type '{request.PrimaryResourceType.PublicName}' require the version to be specified."`
	`224`	`+ });`
	`225`	`+`
	`226`	`+ return false;`
	`227`	`+ }`
	`228`	`+`
	`229`	`+ if (!request.PrimaryResourceType.IsVersioned && request.PrimaryVersion != null)`
	`230`	`+ {`
	`231`	`+ await FlushResponseAsync(httpContext.Response, serializerOptions, new ErrorObject(HttpStatusCode.BadRequest)`
	`232`	`+ {`
	`233`	`+ Title = "The 'version' parameter is not supported at this endpoint.",`
	`234`	`+ Detail = $"Resources of type '{request.PrimaryResourceType.PublicName}' are not versioned."`
	`235`	`+ });`
	`236`	`+`
	`237`	`+ return false;`
	`238`	`+ }`
	`239`	`+ }`
	`240`	`+`
	`241`	`+ return true;`
	`242`	`+ }`
	`243`	`+`
`209`	`244`	`private static async Task FlushResponseAsync(HttpResponse httpResponse, JsonSerializerOptions serializerOptions, ErrorObject error)`
`210`	`245`	`{`
`211`	`246`	`httpResponse.ContentType = HeaderConstants.MediaType;`

`‎src/JsonApiDotNetCore/Serialization/Request/Adapters/AtomicOperationObjectAdapter.cs`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -145,6 +145,8 @@ private static ResourceIdentityRequirements CreateDataRequirements(AtomicReferen`
`145`	`145`	`IdConstraint = refRequirements.IdConstraint,`
`146`	`146`	`IdValue = refResult.Resource.StringId,`
`147`	`147`	`LidValue = refResult.Resource.LocalId,`
	`148`	`+ VersionConstraint = !refResult.ResourceType.IsVersioned ? JsonElementConstraint.Forbidden : null,`
	`149`	`+ VersionValue = refResult.Resource.GetVersion(),`
`148`	`150`	`RelationshipName = refResult.Relationship?.PublicName`
`149`	`151`	`};`
`150`	`152`	`}`

`‎src/JsonApiDotNetCore/Serialization/Request/Adapters/DocumentInResourceOrRelationshipRequestAdapter.cs`

Lines changed: 5 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,11 @@ private ResourceIdentityRequirements CreateIdentityRequirements(RequestAdapterSt`
`68`	`68`	`{`
`69`	`69`	`ResourceType = state.Request.PrimaryResourceType,`
`70`	`70`	`IdConstraint = idConstraint,`
`71`		`- IdValue = state.Request.PrimaryId`
	`71`	`+ IdValue = state.Request.PrimaryId,`
	`72`	`+ VersionConstraint = state.Request.PrimaryResourceType!.IsVersioned && state.Request.WriteOperation != WriteOperationKind.CreateResource`
	`73`	`+ ? JsonElementConstraint.Required`
	`74`	`+ : JsonElementConstraint.Forbidden,`
	`75`	`+ VersionValue = state.Request.PrimaryVersion`
`72`	`76`	`};`
`73`	`77`
`74`	`78`	`return requirements;`

`‎src/JsonApiDotNetCore/Serialization/Request/Adapters/RelationshipDataAdapter.cs`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@`
`2`	`2`	`using System.Collections;`
`3`	`3`	`using System.Collections.Generic;`
`4`	`4`	`using System.Linq;`
	`5`	`+using JsonApiDotNetCore.Middleware;`
`5`	`6`	`using JsonApiDotNetCore.Resources;`
`6`	`7`	`using JsonApiDotNetCore.Resources.Annotations;`
`7`	`8`	`using JsonApiDotNetCore.Serialization.Objects;`
`@@ -76,6 +77,8 @@ private static SingleOrManyData<ResourceIdentifierObject> ToIdentifierData(Singl`
`76`	`77`	`{`
`77`	`78`	`ResourceType = relationship.RightType,`
`78`	`79`	`IdConstraint = JsonElementConstraint.Required,`
	`80`	`+ VersionConstraint = !relationship.RightType.IsVersioned ? JsonElementConstraint.Forbidden :`
	`81`	`+ state.Request.Kind == EndpointKind.AtomicOperations ? null : JsonElementConstraint.Required,`
`79`	`82`	`RelationshipName = relationship.PublicName`
`80`	`83`	`};`
`81`	`84`

`‎src/JsonApiDotNetCore/Serialization/Request/Adapters/ResourceIdentityAdapter.cs`

Lines changed: 41 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ protected ResourceIdentityAdapter(IResourceGraph resourceGraph, IResourceFactory`
`34`	`34`	`ArgumentGuard.NotNull(state, nameof(state));`
`35`	`35`
`36`	`36`	`ResourceType resourceType = ResolveType(identity, requirements, state);`
`37`		`- IIdentifiable resource = CreateResource(identity, requirements, resourceType.ClrType, state);`
	`37`	`+ IIdentifiable resource = CreateResource(identity, requirements, resourceType, state);`
`38`	`38`
`39`	`39`	`return (resource, resourceType);`
`40`	`40`	`}`
`@@ -80,7 +80,7 @@ private static void AssertIsCompatibleResourceType(ResourceType actual, Resource`
`80`	`80`	`}`
`81`	`81`	`}`
`82`	`82`
`83`		`- private IIdentifiable CreateResource(IResourceIdentity identity, ResourceIdentityRequirements requirements, TyperesourceClrType,`
	`83`	`+ private IIdentifiable CreateResource(IResourceIdentity identity, ResourceIdentityRequirements requirements, ResourceTyperesourceType,`
`84`	`84`	`RequestAdapterState state)`
`85`	`85`	`{`
`86`	`86`	`if (state.Request.Kind != EndpointKind.AtomicOperations)`
`@@ -99,10 +99,20 @@ private IIdentifiable CreateResource(IResourceIdentity identity, ResourceIdentit`
`99`	`99`	`AssertHasNoId(identity, state);`
`100`	`100`	`}`
`101`	`101`
	`102`	`+ if (requirements.VersionConstraint == JsonElementConstraint.Required)`
	`103`	`+ {`
	`104`	`+ AssertHasVersion(identity, state);`
	`105`	`+ }`
	`106`	`+ else if (!resourceType.IsVersioned \|\| requirements.VersionConstraint == JsonElementConstraint.Forbidden)`
	`107`	`+ {`
	`108`	`+ AssertHasNoVersion(identity, state);`
	`109`	`+ }`
	`110`	`+`
`102`	`111`	`AssertSameIdValue(identity, requirements.IdValue, state);`
`103`	`112`	`AssertSameLidValue(identity, requirements.LidValue, state);`
	`113`	`+ AssertSameVersionValue(identity, requirements.VersionValue, state);`
`104`	`114`
`105`		`- IIdentifiable resource = _resourceFactory.CreateInstance(resourceClrType);`
	`115`	`+ IIdentifiable resource = _resourceFactory.CreateInstance(resourceType.ClrType);`
`106`	`116`	`AssignStringId(identity, resource, state);`
`107`	`117`	`resource.LocalId = identity.Lid;`
`108`	`118`	`resource.SetVersion(identity.Version);`
`@@ -159,6 +169,23 @@ private static void AssertHasNoId(IResourceIdentity identity, RequestAdapterStat`
`159`	`169`	`}`
`160`	`170`	`}`
`161`	`171`
	`172`	`+ private static void AssertHasVersion(IResourceIdentity identity, RequestAdapterState state)`
	`173`	`+ {`
	`174`	`+ if (identity.Version == null)`
	`175`	`+ {`
	`176`	`+ throw new ModelConversionException(state.Position, "The 'version' element is required.", null);`
	`177`	`+ }`
	`178`	`+ }`
	`179`	`+`
	`180`	`+ private static void AssertHasNoVersion(IResourceIdentity identity, RequestAdapterState state)`
	`181`	`+ {`
	`182`	`+ if (identity.Version != null)`
	`183`	`+ {`
	`184`	`+ using IDisposable _ = state.Position.PushElement("version");`
	`185`	`+ throw new ModelConversionException(state.Position, "Unexpected 'version' element.", null);`
	`186`	`+ }`
	`187`	`+ }`
	`188`	`+`
`162`	`189`	`private static void AssertSameIdValue(IResourceIdentity identity, string? expected, RequestAdapterState state)`
`163`	`190`	`{`
`164`	`191`	`if (expected != null && identity.Id != expected)`
`@@ -181,6 +208,17 @@ private static void AssertSameLidValue(IResourceIdentity identity, string? expec`
`181`	`208`	`}`
`182`	`209`	`}`
`183`	`210`
	`211`	`+ private static void AssertSameVersionValue(IResourceIdentity identity, string? expected, RequestAdapterState state)`
	`212`	`+ {`
	`213`	`+ if (expected != null && identity.Version != expected)`
	`214`	`+ {`
	`215`	`+ using IDisposable _ = state.Position.PushElement("version");`
	`216`	`+`
	`217`	`+ throw new ModelConversionException(state.Position, "Conflicting 'version' values found.",`
	`218`	`+ $"Expected '{expected}' instead of '{identity.Version}'.", HttpStatusCode.Conflict);`
	`219`	`+ }`
	`220`	`+ }`
	`221`	`+`
`184`	`222`	`private void AssignStringId(IResourceIdentity identity, IIdentifiable resource, RequestAdapterState state)`
`185`	`223`	`{`
`186`	`224`	`if (identity.Id != null)`

`‎src/JsonApiDotNetCore/Serialization/Request/Adapters/ResourceIdentityRequirements.cs`

Lines changed: 10 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,16 @@ public sealed class ResourceIdentityRequirements`
`30`	`30`	`/// </summary>`
`31`	`31`	`public string? LidValue { get; init; }`
`32`	`32`
	`33`	`+ /// <summary>`
	`34`	`+ /// When not null, indicates the presence or absence of the "version" element.`
	`35`	`+ /// </summary>`
	`36`	`+ public JsonElementConstraint? VersionConstraint { get; init; }`
	`37`	`+`
	`38`	`+ /// <summary>`
	`39`	`+ /// When not null, indicates what the value of the "version" element must be.`
	`40`	`+ /// </summary>`
	`41`	`+ public string? VersionValue { get; init; }`
	`42`	`+`
`33`	`43`	`/// <summary>`
`34`	`44`	`/// When not null, indicates the name of the relationship to use in error messages.`
`35`	`45`	`/// </summary>`

`‎test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/ConcurrencyDbContext.cs`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@ public sealed class ConcurrencyDbContext : DbContext`
`15`	`15`	`public DbSet<WebImage> WebImages => Set<WebImage>();`
`16`	`16`	`public DbSet<PageFooter> PageFooters => Set<PageFooter>();`
`17`	`17`	`public DbSet<WebLink> WebLinks => Set<WebLink>();`
	`18`	`+ public DbSet<DeploymentJob> DeploymentJobs => Set<DeploymentJob>();`
`18`	`19`
`19`	`20`	`public ConcurrencyDbContext(DbContextOptions<ConcurrencyDbContext> options)`
`20`	`21`	`: base(options)`

`‎test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/ConcurrencyFakers.cs`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -48,12 +48,18 @@ internal sealed class ConcurrencyFakers : FakerContainer`
`48`	`48`	`.RuleFor(webLink => webLink.Url, faker => faker.Internet.Url())`
`49`	`49`	`.RuleFor(webLink => webLink.OpensInNewTab, faker => faker.Random.Bool()));`
`50`	`50`
	`51`	`+ private readonly Lazy<Faker<DeploymentJob>> _lazyDeploymentJobFaker = new(() =>`
	`52`	`+ new Faker<DeploymentJob>()`
	`53`	`+ .UseSeed(GetFakerSeed())`
	`54`	`+ .RuleFor(deploymentJob => deploymentJob.StartedAt, faker => faker.Date.PastOffset()));`
	`55`	`+`
`51`	`56`	`public Faker<WebPage> WebPage => _lazyWebPageFaker.Value;`
`52`	`57`	`public Faker<FriendlyUrl> FriendlyUrl => _lazyFriendlyUrlFaker.Value;`
`53`	`58`	`public Faker<TextBlock> TextBlock => _lazyTextBlockFaker.Value;`
`54`	`59`	`public Faker<Paragraph> Paragraph => _lazyParagraphFaker.Value;`
`55`	`60`	`public Faker<WebImage> WebImage => _lazyWebImageFaker.Value;`
`56`	`61`	`public Faker<PageFooter> PageFooter => _lazyPageFooterFaker.Value;`
`57`	`62`	`public Faker<WebLink> WebLink => _lazyWebLinkFaker.Value;`
	`63`	`+ public Faker<DeploymentJob> DeploymentJob => _lazyDeploymentJobFaker.Value;`
`58`	`64`	`}`
`59`	`65`	`}`

`‎test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/DeploymentJob.cs`

Lines changed: 23 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,23 @@`
	`1`	`+using System;`
	`2`	`+using System.Collections.Generic;`
	`3`	`+using System.ComponentModel.DataAnnotations;`
	`4`	`+using JetBrains.Annotations;`
	`5`	`+using JsonApiDotNetCore.Resources;`
	`6`	`+using JsonApiDotNetCore.Resources.Annotations;`
	`7`	`+`
	`8`	`+namespace JsonApiDotNetCoreTests.IntegrationTests.OptimisticConcurrency`
	`9`	`+{`
	`10`	`+ [UsedImplicitly(ImplicitUseTargetFlags.Members)]`
	`11`	`+ public sealed class DeploymentJob : Identifiable<Guid>`
	`12`	`+ {`
	`13`	`+ [Attr]`
	`14`	`+ [Required]`
	`15`	`+ public DateTimeOffset? StartedAt { get; set; }`
	`16`	`+`
	`17`	`+ [HasOne]`
	`18`	`+ public DeploymentJob? ParentJob { get; set; }`
	`19`	`+`
	`20`	`+ [HasMany]`
	`21`	`+ public IList<DeploymentJob> ChildJobs { get; set; } = new List<DeploymentJob>();`
	`22`	`+ }`
	`23`	`+}`

`‎test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/DeploymentJobsController.cs`

Lines changed: 17 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,17 @@`
	`1`	`+using System;`
	`2`	`+using JsonApiDotNetCore.Configuration;`
	`3`	`+using JsonApiDotNetCore.Controllers;`
	`4`	`+using JsonApiDotNetCore.Services;`
	`5`	`+using Microsoft.Extensions.Logging;`
	`6`	`+`
	`7`	`+namespace JsonApiDotNetCoreTests.IntegrationTests.OptimisticConcurrency`
	`8`	`+{`
	`9`	`+ public sealed class DeploymentJobsController : JsonApiController<DeploymentJob, Guid>`
	`10`	`+ {`
	`11`	`+ public DeploymentJobsController(IJsonApiOptions options, IResourceGraph resourceGraph, ILoggerFactory loggerFactory,`
	`12`	`+ IResourceService<DeploymentJob, Guid> resourceService)`
	`13`	`+ : base(options, resourceGraph, loggerFactory, resourceService)`
	`14`	`+ {`
	`15`	`+ }`
	`16`	`+ }`
	`17`	`+}`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit 48d8c12

File tree

14 files changed

14 files changed

`‎src/JsonApiDotNetCore/Middleware/JsonApiMiddleware.cs`

`‎src/JsonApiDotNetCore/Serialization/Request/Adapters/AtomicOperationObjectAdapter.cs`

`‎src/JsonApiDotNetCore/Serialization/Request/Adapters/DocumentInResourceOrRelationshipRequestAdapter.cs`

`‎src/JsonApiDotNetCore/Serialization/Request/Adapters/RelationshipDataAdapter.cs`

`‎src/JsonApiDotNetCore/Serialization/Request/Adapters/ResourceIdentityAdapter.cs`

`‎src/JsonApiDotNetCore/Serialization/Request/Adapters/ResourceIdentityRequirements.cs`

`‎test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/ConcurrencyDbContext.cs`

`‎test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/ConcurrencyFakers.cs`

`‎test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/DeploymentJob.cs`

`‎test/JsonApiDotNetCoreTests/IntegrationTests/OptimisticConcurrency/DeploymentJobsController.cs`

0 commit comments