Merge pull request #2194 from guardicore/2191-trailing-url-slashes

Island: Remove trailing slashes before registering a URL
2022-08-15 14:25:28 -04:00 · 2022-08-15 14:25:28 -04:00 · 500eeeb582
parent 96f794e192 a67a4418c9
commit 500eeeb582
4 changed files with 19 additions and 5 deletions
--- a/monkey/monkey_island/cc/app.py
+++ b/monkey/monkey_island/cc/app.py
@ -129,6 +129,13 @@ class FlaskDIWrapper:

        self._reserve_urls(resource.urls)

+        # enforce our rule that URLs should not contain a trailing slash
+        for url in resource.urls:
+            if url.endswith("/"):
+                raise ValueError(
+                    f"Resource {resource.__name__} has an invalid URL: A URL "
+                    "should not have a trailing slash."
+                )
        dependencies = self._container.resolve_dependencies(resource)
        self._api.add_resource(resource, *resource.urls, resource_class_args=dependencies)

--- a/monkey/monkey_island/cc/resources/propagation_credentials.py
+++ b/monkey/monkey_island/cc/resources/propagation_credentials.py
@ -11,7 +11,7 @@ _stolen_collection = "stolen-credentials"


 class PropagationCredentials(AbstractResource):
-    urls = ["/api/propagation-credentials/", "/api/propagation-credentials/<string:collection>"]
+    urls = ["/api/propagation-credentials", "/api/propagation-credentials/<string:collection>"]

    def __init__(self, credentials_repository: ICredentialsRepository):
        self._credentials_repository = credentials_repository
--- a/monkey/tests/unit_tests/monkey_island/cc/resources/test_propagation_credentials.py
+++ b/monkey/tests/unit_tests/monkey_island/cc/resources/test_propagation_credentials.py
@ -22,8 +22,8 @@ from monkey_island.cc.resources.propagation_credentials import (
 )

 ALL_CREDENTIALS_URL = PropagationCredentials.urls[0]
-CONFIGURED_CREDENTIALS_URL = urljoin(ALL_CREDENTIALS_URL, _configured_collection)
-STOLEN_CREDENTIALS_URL = urljoin(ALL_CREDENTIALS_URL, _stolen_collection)
+CONFIGURED_CREDENTIALS_URL = urljoin(ALL_CREDENTIALS_URL + "/", _configured_collection)
+STOLEN_CREDENTIALS_URL = urljoin(ALL_CREDENTIALS_URL + "/", _stolen_collection)


@pytest.fixture
@ -105,7 +105,7 @@ def test_all_propagation_credentials_endpoint__put_not_allowed(flask_client):
    assert resp.status_code == HTTPStatus.METHOD_NOT_ALLOWED


-NON_EXISTENT_COLLECTION_URL = urljoin(ALL_CREDENTIALS_URL, "bogus-credentials")
+NON_EXISTENT_COLLECTION_URL = urljoin(ALL_CREDENTIALS_URL + "/", "bogus-credentials")


 def test_propagation_credentials_endpoint__get_not_found(flask_client):
--- a/monkey/tests/unit_tests/monkey_island/cc/test_app.py
+++ b/monkey/tests/unit_tests/monkey_island/cc/test_app.py
@ -75,9 +75,16 @@ def test_url_check_slash_stripping__trailing_slash(resource_manager):


 def test_url_check_slash_stripping__path_separation(resource_manager):
-    resource3 = get_mock_resource("res3", ["/beef/face/"])
+    resource3 = get_mock_resource("res3", ["/beef/face"])
    resource4 = get_mock_resource("res4", ["/beefface"])

    # Following shouldn't raise and exception
    resource_manager.add_resource(resource3)
    resource_manager.add_resource(resource4)
+
+
+def test_trailing_slash_enforcement(resource_manager):
+    bad_endpoint = "/beef/face/"
+    with pytest.raises(ValueError):
+        resource3 = get_mock_resource("res3", [f"{bad_endpoint}"])
+        resource_manager.add_resource(resource3)