Merge pull request #2818 from bacongobbler/you-shall-not-build

Matthew Fisher · Matthew Fisher · commit 3e38d6005607 · 2014-12-30T08:41:41.000-08:00
fix(controller): disallow evil users from creating builds
diff --git a/controller/api/tests/test_build.py b/controller/api/tests/test_build.py
@@ -172,7 +172,6 @@ def test_build_default_containers(self):
     def test_build_str(self):
         """Test the text representation of a build."""
         url = '/v1/apps'
-        response = self.client.post(url)
         response = self.client.post(url, HTTP_AUTHORIZATION='token {}'.format(self.token))
         self.assertEqual(response.status_code, 201)
         app_id = response.data['id']
@@ -207,3 +206,18 @@ def test_admin_can_create_builds_on_other_apps(self):
         build = Build.objects.get(uuid=response.data['uuid'])
         self.assertEqual(str(build), "{}-{}".format(
                          response.data['app'], response.data['uuid'][:7]))
+
+    @mock.patch('requests.post', mock_import_repository_task)
+    def test_unauthorized_user_cannot_create_build(self):
+        """An unauthorized user should not be able to create builds for other apps."""
+        url = '/v1/apps'
+        response = self.client.post(url, HTTP_AUTHORIZATION='token {}'.format(self.token))
+        app_id = response.data['id']
+        # attempt to create a build as a malicious user
+        evil_user = User.objects.get(username='autotest2')
+        evil_token = Token.objects.get(user=evil_user).key
+        url = "/v1/apps/{app_id}/builds".format(**locals())
+        body = {'image': 'eeeeeevillllll'}
+        response = self.client.post(url, json.dumps(body), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(evil_token))
+        self.assertEqual(response.status_code, 403)
diff --git a/controller/api/views.py b/controller/api/views.py
@@ -260,6 +260,7 @@ def get_success_headers(self, data):
 
     def create(self, request, *args, **kwargs):
         app = get_object_or_404(models.App, id=self.kwargs['id'])
+        self.check_object_permissions(self.request, app)
         request._data = request.DATA.copy()
         request.DATA['app'] = app
         try:
