Reject non json formats

philippthun · philippthun · commit 4ed37bc8af7a · 2022-07-13T21:05:03.000+02:00
diff --git a/app/controllers/v3/application_controller.rb b/app/controllers/v3/application_controller.rb
@@ -68,6 +68,7 @@ class ApplicationController < ActionController::Base
   before_action :check_write_permissions!, if: :enforce_write_scope?
   before_action :hashify_params
   before_action :null_coalesce_body
+  before_action :validate_content_type!
 
   rescue_from CloudController::Blobstore::BlobstoreError, with: :handle_blobstore_error
   rescue_from CloudController::Errors::NotAuthenticated, with: :handle_not_authenticated
@@ -211,6 +212,24 @@ def null_coalesce_body
     hashed_params[:body] ||= {}
   end
 
+  def validate_content_type!
+    unless request_content_type_is_json?
+      logger.error("Content-type isn't json: #{request.content_type}")
+      bad_request!('Content-Type must be json')
+    end
+    unless requested_format_is_json_or_none?
+      bad_request!('Requested format must be json or none')
+    end
+  end
+
+  def request_content_type_is_json?
+    Mime::Type.lookup(request.content_type) == :json
+  end
+
+  def requested_format_is_json_or_none?
+    !hashed_params.include?(:format) || hashed_params[:format] == 'json'
+  end
+
   def membership
     @membership ||= Membership.new(current_user)
   end
diff --git a/app/controllers/v3/space_manifests_controller.rb b/app/controllers/v3/space_manifests_controller.rb
@@ -8,8 +8,6 @@
 class SpaceManifestsController < ApplicationController
   wrap_parameters :body, format: [:yaml]
 
-  before_action :validate_content_type!
-
   def apply_manifest
     space = Space.find(guid: hashed_params[:guid])
     space_not_found! unless space && permission_queryer.can_read_from_space?(space.guid, space.organization.guid)
@@ -86,16 +84,23 @@ def compound_error!(error_messages)
   end
 
   def validate_content_type!
-    if !request_content_type_is_yaml?
+    unless request_content_type_is_yaml?
       logger.error("Content-type isn't yaml: #{request.content_type}")
       bad_request!('Content-Type must be yaml')
     end
+    unless requested_format_is_yaml_or_none?
+      bad_request!('Requested format must be yaml or none')
+    end
   end
 
   def request_content_type_is_yaml?
     Mime::Type.lookup(request.content_type) == :yaml
   end
 
+  def requested_format_is_yaml_or_none?
+    !hashed_params.include?(:format) || %w[yaml yml].include?(hashed_params[:format])
+  end
+
   def check_version_is_supported!
     version = parsed_yaml['version']
     raise unprocessable!('Unsupported manifest schema version. Currently supported versions: [1].') unless !version || version == 1
