-
-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
upload: don't ignore BindJSON errors #999
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #999 +/- ##
==========================================
- Coverage 20.85% 20.14% -0.71%
==========================================
Files 42 42
Lines 2570 3221 +651
==========================================
+ Hits 536 649 +113
- Misses 1949 2487 +538
Partials 85 85
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code LGTM. I did not test it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice catch!
Tested on Linux.
curl -d @/tmp/a.json -v 'http://127.0.0.1:8991/upload' \
-H 'Accept: */*' \
-H 'Accept-Language: en-US,en;q=0.5' \
-H 'Cache-Control: no-cache' \
-H 'Connection: keep-alive' \
-H 'Content-Type: text/plain;charset=UTF-8' \
-H 'DNT: 1' \
-H 'Origin: https://app.oniudra.cc/' \
-H 'Pragma: no-cache' \
-H 'Sec-Fetch-Dest: empty' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Sec-Fetch-Site: cross-site' \
-H 'Sec-GPC: 1' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36' \
-H 'sec-ch-ua: "Brave";v="129", "Not=A?Brand";v="8", "Chromium";v="129"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "Linux"'
* Trying 127.0.0.1:8991...
* Connected to 127.0.0.1 (127.0.0.1) port 8991
> POST /upload HTTP/1.1
> Host: 127.0.0.1:8991
> Accept: */*
> Accept-Language: en-US,en;q=0.5
> Cache-Control: no-cache
> Connection: keep-alive
> Content-Type: text/plain;charset=UTF-8
> DNT: 1
> Origin: https://app.oniudra.cc/
> Pragma: no-cache
> Sec-Fetch-Dest: empty
> Sec-Fetch-Mode: cors
> Sec-Fetch-Site: cross-site
> Sec-GPC: 1
> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
> sec-ch-ua: "Brave";v="129", "Not=A?Brand";v="8", "Chromium";v="129"
> sec-ch-ua-mobile: ?0
> sec-ch-ua-platform: "Linux"
> Content-Length: 406653
>
* We are completely uploaded and fine
< HTTP/1.1 400 Bad Request
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Origin: https://app.oniudra.cc/
< Vary: Origin
< Date: Thu, 24 Oct 2024 11:43:43 GMT
< Content-Length: 62
< Content-Type: text/plain; charset=utf-8
<
* Connection #0 to host 127.0.0.1 left intact
err with the payload. illegal base64 data at input byte 381416%
In the attachment the test payload. |
When we send an HTTP request to the
upload
endpoint, we include a JSON payload. This payload is then decoded into theUpload
struct using theBindJSON
function from the Gin framework.However, when we have a
[]byte
field, the expectation is that the corresponding field sent over the wire is base64 encoded with padding. If the value is not properly padded, the function returns an error.Before this PR, we were silently ignoring this error, leading to odd behavior on the frontend:
hex
field containing an unpadded base64 string is sent.BindJSON
silently fails and sets the HTTP status to 400.This PR fixes the issue by properly checking for
BindJSON
errors and exiting early if any are found.I'm not sure if the error was ignored intentionally for compatibility reasons, but I don’t think so, since this endpoint is used by the cloud editor, which behaves unpredictably when receiving a 400 error.