Safeguard against redirects on POST request

A redirect on a POST request will make the http client perform a GET request to the signposted URL. This will (probably) return a 200, which the code will then interpret as a successful POST. This check ensures that the method the response relates to is the same as the one we invoked.
mhutchinson · Apr 10, 2024 · 7fe12cb · 7fe12cb
1 parent 76c95cd
commit 7fe12cb
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/binary_transparency/firmware/internal/client/client.go b/binary_transparency/firmware/internal/client/client.go
@@ -96,6 +96,9 @@ func (c SubmitClient) PublishFirmware(manifest, image []byte) error {
 	if err != nil {
 		return fmt.Errorf("failed to publish to log endpoint (%s): %w", u, err)
 	}
+	if resp.Request.Method != "POST" {
+		return fmt.Errorf("POST request to %q was converted to %s request to %q", u.String(), resp.Request.Method, resp.Request.URL)
+	}
 	if r.StatusCode != http.StatusOK {
 		return errFromResponse("failed to submit to log", r)
 	}