Allow lookup only by key ids with at least 16 chars

2016-06-07 16:22:17 +02:00 · 2016-06-07 16:22:17 +02:00 · bdde8e44d5
commit bdde8e44d5
parent f54b86f79a
4 changed files with 32 additions and 21 deletions
--- a/src/route/hkp.js
+++ b/src/route/hkp.js
@ -80,7 +80,7 @@ class HKP {
    if (['get','index','vindex'].indexOf(params.op) === -1) {
      ctx.throw(501, 'Not implemented!');
    } else if (!params.keyid && !params.email) {
-      ctx.throw(400, 'Invalid request!');
+      ctx.throw(501, 'Not implemented!');
    }

    return params;
@ -88,7 +88,7 @@ class HKP {

  /**
   * Checks for a valid key id in the query string. A key must be prepended
-   * with '0x' and can be between 8 and 40 hex characters long.
+   * with '0x' and can be between 16 and 40 hex characters long.
   * @param  {String} keyid   The key id
   * @return {Boolean}        If the key id is valid
   */
@ -96,7 +96,7 @@ class HKP {
    if (!util.isString(keyid)) {
      return false;
    }
-    return /^0x[a-fA-F0-9]{8,40}$/.test(keyid);
+    return /^0x[a-fA-F0-9]{16,40}$/.test(keyid);
  }

  /**
--- a/src/service/util.js
+++ b/src/service/util.js
@ -42,7 +42,7 @@ exports.isTrue = function(data) {
 };

 /**
- * Checks for a valid key id which is between 8 and 40 hex chars.
+ * Checks for a valid key id which is between 16 and 40 hex chars.
 * @param  {string} data   The key id
 * @return {boolean}       If the key id if valid
 */
@ -50,7 +50,7 @@ exports.validateKeyId = function(data) {
  if (!this.isString(data)) {
    return false;
  }
-  return /^[a-fA-F0-9]{8,40}$/.test(data);
+  return /^[a-fA-F0-9]{16,40}$/.test(data);
 };

 /**
--- a/test/integration/app-test.js
+++ b/test/integration/app-test.js
@ -174,9 +174,16 @@ describe('Koa App (HTTP Server) Integration Tests', function() {
          .end(done);
        });

+        it('should return 400 for short key id', done => {
+          request(app.listen())
+          .get('/api/v1/key?keyid=0123456789ABCDE')
+          .expect(400)
+          .end(done);
+        });
+
        it('should return 404 for wrong key id', done => {
          request(app.listen())
-          .get('/api/v1/key?keyid=0123456789ABCDF')
+          .get('/api/v1/key?keyid=0123456789ABCDEF')
          .expect(404)
          .end(done);
        });
@ -305,9 +312,9 @@ describe('Koa App (HTTP Server) Integration Tests', function() {
        .end(done);
      });

-      it('should return 404 for unknown email address', done => {
+      it('should return 404 for unknown key id', done => {
        request(app.listen())
-        .get('/api/v1/verifyRemove?keyid=0123456789ABCDF&nonce=' + emailParams.nonce)
+        .get('/api/v1/verifyRemove?keyid=0123456789ABCDEF&nonce=' + emailParams.nonce)
        .expect(404)
        .end(done);
      });
@ -407,10 +414,10 @@ describe('Koa App (HTTP Server) Integration Tests', function() {
          .end(done);
        });

-        it('should return 400 for invalid email', done => {
+        it('should return 501 for invalid email', done => {
          request(app.listen())
          .get('/pks/lookup?op=get&search=a@bco')
-          .expect(400)
+          .expect(501)
          .end(done);
        });

@ -421,17 +428,17 @@ describe('Koa App (HTTP Server) Integration Tests', function() {
          .end(done);
        });

-        it('should return 400 for missing params', done => {
+        it('should return 501 for missing params', done => {
          request(app.listen())
          .get('/pks/lookup?op=get')
-          .expect(400)
+          .expect(501)
          .end(done);
        });

-        it('should return 400 for a invalid key id format', done => {
+        it('should return 501 for a invalid key id format', done => {
          request(app.listen())
          .get('/pks/lookup?op=get&search=' + emailParams.keyid)
-          .expect(400)
+          .expect(501)
          .end(done);
        });

@ -442,6 +449,13 @@ describe('Koa App (HTTP Server) Integration Tests', function() {
          .end(done);
        });

+        it('should return 501 (Not implemented) for short key id', done => {
+          request(app.listen())
+          .get('/pks/lookup?op=get&search=0x2A1B86E9')
+          .expect(501)
+          .end(done);
+        });
+
        it('should return 501 (Not implemented) for "x-email" op', done => {
          request(app.listen())
          .get('/pks/lookup?op=x-email&search=0x' + emailParams.keyid)
--- a/test/unit/util-test.js
+++ b/test/unit/util-test.js
@ -53,14 +53,11 @@ describe('Util Unit Tests', () => {
    it('should be true for 16 byte hex', () => {
      expect(util.validateKeyId('0123456789ABCDEF')).to.be.true;
    });
-    it('should be true for 8 byte hex', () => {
-      expect(util.validateKeyId('01234567')).to.be.true;
+    it('should be false for 15 byte hex', () => {
+      expect(util.validateKeyId('0123456789ABCDE')).to.be.false;
    });
-    it('should be false for 8 byte non-hex', () => {
-      expect(util.validateKeyId('0123456Z')).to.be.false;
-    });
-    it('should be false for 7 byte hex', () => {
-      expect(util.validateKeyId('0123456')).to.be.false;
+    it('should be false for 16 byte non-hex', () => {
+      expect(util.validateKeyId('0123456789ABCDEZ')).to.be.false;
    });
    it('should be false for 41 byte hex', () => {
      expect(util.validateKeyId('0123456789ABCDEF0123456789ABCDEF012345678')).to.be.false;