fix: ensure webhook hosts cannot contain templated parameters

pact-foundation · Jun 9, 2018 · fe05919 · fe05919
1 parent c91d04e
commit fe05919
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 3 deletions.
diff --git a/lib/pact_broker/api/contracts/webhook_contract.rb b/lib/pact_broker/api/contracts/webhook_contract.rb
@@ -97,17 +97,21 @@ def allowed_webhook_host?(url)
                 end
               end
 
+              def non_templated_host?(url)
+                parse_uri(url).host == parse_uri(url, 'differentplaceholder').host
+              end
+
               def host_whitelist
                 PactBroker.configuration.webhook_host_whitelist
               end
 
-              def parse_uri(uri_string)
-                URI(uri_string.gsub(/\$\{pactbroker\.[^\}]+\}/, 'placeholder'))
+              def parse_uri(uri_string, placeholder = 'placeholder')
+                URI(uri_string.gsub(/\$\{pactbroker\.[^\}]+\}/, placeholder))
               end
             end
 
             required(:http_method).filled(:valid_method?, :allowed_webhook_method?)
-            required(:url).filled(:valid_url?, :allowed_webhook_scheme?, :allowed_webhook_host?)
+            required(:url).filled(:valid_url?, :allowed_webhook_scheme?, :allowed_webhook_host?, :non_templated_host?)
           end
         end
 

diff --git a/lib/pact_broker/locale/en.yml b/lib/pact_broker/locale/en.yml
@@ -7,6 +7,7 @@ en:
     valid_version_number?: "Version number '%{value}' cannot be parsed to a version number. The expected format (unless this configuration has been overridden) is a semantic version. eg. 1.3.0 or 2.0.4.rc1"
     name_in_path_matches_name_in_pact?: "does not match %{left} name in path ('%{right}')."
     valid_consumer_version_number?: "Consumer version number '%{value}' cannot be parsed to a version number. The expected format (unless this configuration has been overridden) is a semantic version. eg. 1.3.0 or 2.0.4.rc1"
+    non_templated_host?: "cannot have a template parameter in the host"
 
   pact_broker:
     messages:

diff --git a/spec/lib/pact_broker/api/contracts/webhook_contract_spec.rb b/spec/lib/pact_broker/api/contracts/webhook_contract_spec.rb
@@ -191,6 +191,18 @@ def valid_webhook_with
               expect(subject.errors).to be_empty
             end
           end
+
+          context "with a URL that has templated parameters in the host" do
+            let(:json) do
+              valid_webhook_with do |hash|
+                hash['request']['url'] = 'https://${pactbroker.consumerVersionNumber}/commits'
+              end
+            end
+
+            it "contains an error" do
+              expect(subject.errors[:"request.url"]).to eq ["cannot have a template parameter in the host"]
+            end
+          end
         end
       end
     end