SONAR-7300 Fail when WS request is PUT or DELETE

author Julien Lancelot <julien.lancelot@sonarsource.com>

Fri, 6 Jan 2017 09:14:12 +0000 (10:14 +0100)

committer Julien Lancelot <julien.lancelot@sonarsource.com>

Tue, 10 Jan 2017 08:56:55 +0000 (09:56 +0100)
author Julien Lancelot <julien.lancelot@sonarsource.com>
Fri, 6 Jan 2017 09:14:12 +0000 (10:14 +0100)
committer Julien Lancelot <julien.lancelot@sonarsource.com>
Tue, 10 Jan 2017 08:56:55 +0000 (09:56 +0100)
diff --git a/server/sonar-server/src/main/java/org/sonar/server/ws/RequestVerifier.java b/server/sonar-server/src/main/java/org/sonar/server/ws/RequestVerifier.java

index 5e86d884387ad3c9d697383fff60831ae6946c38..5a3fa8e1487ebb012adec77ec8bf415d89efb287 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/ws/RequestVerifier.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/ws/RequestVerifier.java
@@ -23,7 +23,7 @@ import org.sonar.api.server.ws.Request;
  import org.sonar.api.server.ws.WebService;
  import org.sonar.server.exceptions.ServerException;
  
-import javax.servlet.http.HttpServletResponse;
+import static javax.servlet.http.HttpServletResponse.SC_METHOD_NOT_ALLOWED;
  
  public class RequestVerifier {
    private RequestVerifier() {
@@ -31,9 +31,17 @@ public class RequestVerifier {
    }
  
    public static void verifyRequest(WebService.Action action, Request request) {
-    // verify the HTTP verb
-    if (action.isPost() && !"POST".equals(request.method())) {
-      throw new ServerException(HttpServletResponse.SC_METHOD_NOT_ALLOWED, "HTTP method POST is required");
+    switch (request.method()) {
+      case "GET":
+        if (action.isPost()) {
+          throw new ServerException(SC_METHOD_NOT_ALLOWED, "HTTP method POST is required");
+        }
+        return;
+      case "PUT":
+      case "DELETE":
+        throw new ServerException(SC_METHOD_NOT_ALLOWED, String.format("HTTP method %s is not allowed", request.method()));
+      default:
+        // Nothing to do
      }
    }
  }
diff --git a/server/sonar-server/src/test/java/org/sonar/server/ws/WebServiceEngineTest.java b/server/sonar-server/src/test/java/org/sonar/server/ws/WebServiceEngineTest.java

index b1eaf0ecb8275c764ae72ffb0cb635f5eb9c5a32..675fb59c1559e2366ab802e5b64aac720cbc8a26 100644 (file)
--- a/server/sonar-server/src/test/java/org/sonar/server/ws/WebServiceEngineTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/ws/WebServiceEngineTest.java
@@ -147,6 +147,24 @@ public class WebServiceEngineTest {
      assertThat(response.stream().outputAsString()).isEqualTo("{\"errors\":[{\"msg\":\"HTTP method POST is required\"}]}");
    }
  
+  @Test
+  public void method_put_not_allowed() {
+    ValidatingRequest request = new TestRequest().setMethod("PUT").setPath("/api/system/ping");
+    DumbResponse response = new DumbResponse();
+    underTest.execute(request, response);
+
+    assertThat(response.stream().outputAsString()).isEqualTo("{\"errors\":[{\"msg\":\"HTTP method PUT is not allowed\"}]}");
+  }
+
+  @Test
+  public void method_delete_not_allowed() {
+    ValidatingRequest request = new TestRequest().setMethod("DELETE").setPath("/api/system/ping");
+    DumbResponse response = new DumbResponse();
+    underTest.execute(request, response);
+
+    assertThat(response.stream().outputAsString()).isEqualTo("{\"errors\":[{\"msg\":\"HTTP method DELETE is not allowed\"}]}");
+  }
+
    @Test
    public void method_post_required() {
      ValidatingRequest request = new TestRequest().setMethod("POST").setPath("/api/system/ping");
author	Julien Lancelot <julien.lancelot@sonarsource.com>
	Fri, 6 Jan 2017 09:14:12 +0000 (10:14 +0100)
committer	Julien Lancelot <julien.lancelot@sonarsource.com>
	Tue, 10 Jan 2017 08:56:55 +0000 (09:56 +0100)
server/sonar-server/src/main/java/org/sonar/server/ws/RequestVerifier.java		patch \| blob \| history
server/sonar-server/src/test/java/org/sonar/server/ws/WebServiceEngineTest.java		patch \| blob \| history