From c523513857810955f3bcc964f590bccee16c508a Mon Sep 17 00:00:00 2001 From: Pierre Date: Tue, 11 Oct 2022 17:30:51 +0200 Subject: [PATCH] SONAR-17435 fix SSF-318 --- .../org/sonar/server/ws/RequestVerifier.java | 8 +++--- .../sonar/server/ws/WebServiceEngineTest.java | 28 +++++++------------ 2 files changed, 14 insertions(+), 22 deletions(-) diff --git a/server/sonar-webserver-ws/src/main/java/org/sonar/server/ws/RequestVerifier.java b/server/sonar-webserver-ws/src/main/java/org/sonar/server/ws/RequestVerifier.java index 36334869a00..5f774be5113 100644 --- a/server/sonar-webserver-ws/src/main/java/org/sonar/server/ws/RequestVerifier.java +++ b/server/sonar-webserver-ws/src/main/java/org/sonar/server/ws/RequestVerifier.java @@ -37,11 +37,11 @@ public class RequestVerifier { throw new ServerException(SC_METHOD_NOT_ALLOWED, "HTTP method POST is required"); } return; - case "PUT": - case "DELETE": - throw new ServerException(SC_METHOD_NOT_ALLOWED, String.format("HTTP method %s is not allowed", request.method())); + case "POST": + // no further verification (POST request are allowed to reach GET endpoints) + return; default: - // Nothing to do + throw new ServerException(SC_METHOD_NOT_ALLOWED, String.format("HTTP method %s is not allowed", request.method())); } } } diff --git a/server/sonar-webserver-ws/src/test/java/org/sonar/server/ws/WebServiceEngineTest.java b/server/sonar-webserver-ws/src/test/java/org/sonar/server/ws/WebServiceEngineTest.java index f258023a615..e290f99db1d 100644 --- a/server/sonar-webserver-ws/src/test/java/org/sonar/server/ws/WebServiceEngineTest.java +++ b/server/sonar-webserver-ws/src/test/java/org/sonar/server/ws/WebServiceEngineTest.java @@ -19,6 +19,7 @@ */ package org.sonar.server.ws; +import java.util.Arrays; import java.util.function.Consumer; import javax.servlet.http.HttpServletResponse; import org.apache.catalina.connector.ClientAbortException; @@ -55,7 +56,7 @@ public class WebServiceEngineTest { @Test public void load_ws_definitions_at_startup() { - WebServiceEngine underTest = new WebServiceEngine(new WebService[] { + WebServiceEngine underTest = new WebServiceEngine(new WebService[]{ newWs("api/foo/index", a -> { }), newWs("api/bar/index", a -> { @@ -171,25 +172,16 @@ public class WebServiceEngineTest { } @Test - public void method_PUT_is_not_allowed() { - Request request = new TestRequest().setMethod("PUT").setPath("/api/ping"); + public void method_is_not_allowed() { + for (String verb : Arrays.asList("PUT", "DELETE", "HEAD", "PATCH", "CONNECT", "OPTIONS", "TRACE")) { - DumbResponse response = run(request, newPingWs(a -> { - })); - - assertThat(response.stream().outputAsString()).isEqualTo("{\"errors\":[{\"msg\":\"HTTP method PUT is not allowed\"}]}"); - assertThat(response.stream().status()).isEqualTo(405); - } + Request request = new TestRequest().setMethod(verb).setPath("/api/ping"); - @Test - public void method_DELETE_is_not_allowed() { - Request request = new TestRequest().setMethod("DELETE").setPath("api/ping"); + DumbResponse response = run(request, newPingWs(a -> {})); - DumbResponse response = run(request, newPingWs(a -> { - })); - - assertThat(response.stream().outputAsString()).isEqualTo("{\"errors\":[{\"msg\":\"HTTP method DELETE is not allowed\"}]}"); - assertThat(response.stream().status()).isEqualTo(405); + assertThat(response.stream().outputAsString()).isEqualTo("{\"errors\":[{\"msg\":\"HTTP method " + verb + " is not allowed\"}]}"); + assertThat(response.stream().status()).isEqualTo(405); + } } @Test @@ -409,7 +401,7 @@ public class WebServiceEngineTest { public void fail_when_start_in_not_called() { Request request = new TestRequest().setPath("/api/ping"); DumbResponse response = new DumbResponse(); - WebServiceEngine underTest = new WebServiceEngine(new WebService[] {newPingWs(a -> { + WebServiceEngine underTest = new WebServiceEngine(new WebService[]{newPingWs(a -> { })}); underTest.execute(request, response); -- 2.39.5