upload: don't ignore BindJSON errors (#999)

* upload: don't ignore BindJSON errors

Author: alessio-perugini

conn.go

@@ -80,9 +80,11 @@ type Upload struct {
 var uploadStatusStr = "ProgrammerStatus"
 
 func uploadHandler(c *gin.Context) {
-
 	data := new(Upload)
-	c.BindJSON(data)
+	if err := c.BindJSON(data); err != nil {
+		c.String(http.StatusBadRequest, fmt.Sprintf("err with the payload. %v", err.Error()))
+		return
+	}
 
 	log.Printf("%+v %+v %+v %+v %+v %+v", data.Port, data.Board, data.Rewrite, data.Commandline, data.Extra, data.Filename)
 

main_test.go

@@ -18,6 +18,7 @@ package main
 import (
 	"bytes"
 	"crypto/x509"
+	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
@@ -87,6 +88,30 @@ func TestUploadHandlerAgainstEvilFileNames(t *testing.T) {
 	}
 }
 
+func TestUploadHandlerAgainstBase64WithoutPaddingMustFail(t *testing.T) {
+	r := gin.New()
+	r.POST("/", uploadHandler)
+	ts := httptest.NewServer(r)
+	defer ts.Close()
+
+	// When calling the `BindJSON` func, when a json field will be Unmarshaled
+	// in a []byte type, we expect to receive a base64 padded string in input.
+	// In case we receive a base64 unpadded string BindJSON fails.
+	// The expectation here is that the upload handler won't continue with the
+	// upload operation.
+	base64ContentWithoutPadding := base64.RawStdEncoding.EncodeToString([]byte("test"))
+	payload := fmt.Sprintf(`{"hex": "%s"}`, base64ContentWithoutPadding)
+
+	resp, err := http.Post(ts.URL, "encoding/json", bytes.NewBufferString(payload))
+	require.NoError(t, err)
+	require.Equal(t, http.StatusBadRequest, resp.StatusCode)
+
+	defer resp.Body.Close()
+	body, err := io.ReadAll(resp.Body)
+	require.NoError(t, err)
+	require.Contains(t, string(body), "err with the payload. illegal base64 data at input")
+}
+
 func TestInstallToolV2(t *testing.T) {
 
 	indexURL := "https://downloads.arduino.cc/packages/package_index.json"