Skip to content

Commit

Permalink
Auto merge of #11952 - ehuss:check-token-publish, r=weihanglo
Browse files Browse the repository at this point in the history
Validate token on publish.

The `publish` path was not validating the token like the other API routes were (like owner, or yank). This does not appear to be intentional from what I can tell. This consolidates the relevant code so that it is shared with all the API calls.

cc #11600

Closes #11571
  • Loading branch information
bors committed Apr 10, 2023
2 parents 34cb1ea + 35f5862 commit 1a53cdb
Show file tree
Hide file tree
Showing 2 changed files with 52 additions and 11 deletions.
22 changes: 11 additions & 11 deletions crates/crates-io/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -219,6 +219,15 @@ impl Registry {
self.token = token;
}

fn token(&self) -> Result<&str> {
let token = match self.token.as_ref() {
Some(s) => s,
None => bail!("no upload token found, please run `cargo login`"),
};
check_token(token)?;
Ok(token)
}

pub fn host(&self) -> &str {
&self.host
}
Expand Down Expand Up @@ -278,16 +287,12 @@ impl Registry {

let url = format!("{}/api/v1/crates/new", self.host);

let token = match self.token.as_ref() {
Some(s) => s,
None => bail!("no upload token found, please run `cargo login`"),
};
self.handle.put(true)?;
self.handle.url(&url)?;
self.handle.in_filesize(size as u64)?;
let mut headers = List::new();
headers.append("Accept: application/json")?;
headers.append(&format!("Authorization: {}", token))?;
headers.append(&format!("Authorization: {}", self.token()?))?;
self.handle.http_headers(headers)?;

let started = Instant::now();
Expand Down Expand Up @@ -390,12 +395,7 @@ impl Registry {
headers.append("Content-Type: application/json")?;

if self.auth_required || authorized == Auth::Authorized {
let token = match self.token.as_ref() {
Some(s) => s,
None => bail!("no upload token found, please run `cargo login`"),
};
check_token(token)?;
headers.append(&format!("Authorization: {}", token))?;
headers.append(&format!("Authorization: {}", self.token()?))?;
}
self.handle.http_headers(headers)?;
match body {
Expand Down
41 changes: 41 additions & 0 deletions tests/testsuite/publish.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2908,3 +2908,44 @@ You may press ctrl-c to skip waiting; the crate should be available shortly.

p.cargo("check").with_status(0).run();
}

#[cargo_test]
fn invalid_token() {
// Checks publish behavior with an invalid token.
let registry = RegistryBuilder::new().http_api().http_index().build();

let p = project()
.file(
"Cargo.toml",
r#"
[package]
name = "foo"
version = "0.0.1"
authors = []
license = "MIT"
description = "foo"
documentation = "foo"
"#,
)
.file("src/main.rs", "fn main() {}")
.build();

p.cargo("publish --no-verify")
.replace_crates_io(registry.index_url())
.env("CARGO_REGISTRY_TOKEN", "\x16")
.with_stderr(
"\
[UPDATING] crates.io index
[PACKAGING] foo v0.0.1 ([ROOT]/foo)
[PACKAGED] 4 files, [..]
[UPLOADING] foo v0.0.1 ([ROOT]/foo)
error: failed to publish to registry at http://127.0.0.1:[..]/
Caused by:
token contains invalid characters.
Only printable ISO-8859-1 characters are allowed as it is sent in a HTTPS header.
",
)
.with_status(101)
.run();
}

0 comments on commit 1a53cdb

Please sign in to comment.