fix: enable resource identifiers to contain forward slashes

This enables tag names such as 'feat/foo' to be used when escaped. To do this, the path_traversal rack protection was disabled
mattermack · Sep 7, 2017 · d875079 · d875079
1 parent 6ca27cc
commit d875079
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/lib/pact_broker/app.rb b/lib/pact_broker/app.rb
@@ -78,7 +78,7 @@ def prepare_app
     end
 
     def configure_middleware
-      @app_builder.use Rack::Protection, except: [:remote_token, :session_hijacking, :http_origin]
+      @app_builder.use Rack::Protection, except: [:path_traversal, :remote_token, :session_hijacking, :http_origin]
       @app_builder.use Rack::PactBroker::InvalidUriProtection
       @app_builder.use Rack::PactBroker::AddPactBrokerVersionHeader
       @app_builder.use Rack::Static, :urls => ["/stylesheets", "/css", "/fonts", "/js", "/javascripts", "/images"], :root => PactBroker.project_root.join("public")

diff --git a/spec/integration/app_spec.rb b/spec/integration/app_spec.rb
@@ -187,5 +187,15 @@ module PactBroker
         expect(last_response.status).to eq 404
       end
     end
+
+    describe "when a resource identifier contains a slash" do
+      let(:path) { "/pacticipants/Foo/versions/1.2.3/tags/feat%2Fbar" }
+
+      subject { put path, nil, {'CONTENT_TYPE' => 'application/json'}; last_response }
+
+      it "returns a success status" do
+        expect(subject.status).to eq 201
+      end
+    end
   end
 end