From a6b170eca31da6600eff6ae8e47ea89551dc31d3 Mon Sep 17 00:00:00 2001 From: swag Date: Sat, 9 Apr 2022 15:35:24 -0400 Subject: [PATCH] Throw 400s for invalid input --- guestbook-ng.pl | 11 +++++++++-- t/sign.t | 11 ++++++++--- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/guestbook-ng.pl b/guestbook-ng.pl index f2df915..5e6614c 100755 --- a/guestbook-ng.pl +++ b/guestbook-ng.pl @@ -64,7 +64,7 @@ get '/' => sub ($c) { $c->redirect_to(page => {page => 'view'}) }; any [qw{GET POST}], '/sign' => sub ($c) { my $v = $c->validation() if $c->req->method eq 'POST'; - if ($c->req->method eq 'POST' && $v->has_data) { + if ($v && $v->has_data) { my $name = $c->param('name') || 'Anonymous'; my $url = $c->param('url'); my $message = $c->param('message'); @@ -78,7 +78,10 @@ any [qw{GET POST}], '/sign' => sub ($c) { $v->optional('url', 'not_empty')->size(1, 255) ->like(qr/$RE{URI}{HTTP}{-scheme => qr}/); - unless ($v->has_error) { + if ($v->has_error) { + $c->stash(status => 400) + } + else { $c->message->create_post($name, $message, $url, $spam); $c->flash(error => 'This message was flagged as spam') if $spam; @@ -86,6 +89,10 @@ any [qw{GET POST}], '/sign' => sub ($c) { return $c->redirect_to(page => {page => 'view'}); } } + # Throw a 400 for POST with null body too + elsif ($v) { + $c->stash(status => 400) + } # Try to randomize things for the CAPTCHA challenge. The # string 'false' actually evaluates to true so this is an diff --git a/t/sign.t b/t/sign.t index 6f90c21..2f11721 100644 --- a/t/sign.t +++ b/t/sign.t @@ -26,18 +26,23 @@ my %valid_form = ( message => 'Ayy... lmao', answer => 'false' ); +# Null POST body +my %null_form; $t->ua->max_redirects(1); # Valid requests $t->get_ok('/sign')->status_is(200)->text_is(h2 => 'Sign the Guestbook'); -$t->post_ok('/sign', form => \%valid_form)->status_is(200); +$t->post_ok('/sign', form => \%valid_form)->status_is(200) + ->text_is(h2 => 'Messages from the World Wide Web'); # Invalid input -$t->post_ok('/sign', form => \%invalid_form)->status_is(200) +$t->post_ok('/sign', form => \%invalid_form)->status_is(400) ->content_like(qr/cannot be blank/); -$t->post_ok('/sign', form => \%invalid_form)->status_is(200) +$t->post_ok('/sign', form => \%invalid_form)->status_is(400) ->content_like(qr/URL does not appear to be/); +$t->post_ok('/sign', form => \%null_form)->status_is(400) + ->text_is(h2 => 'Sign the Guestbook'); # Spam test $t->post_ok('/sign', form => \%spam_form)->status_is(403)