Skip to content

Commit

Permalink
Safeguard against redirects on POST request
Browse files Browse the repository at this point in the history 
A redirect on a POST request will make the http client perform a GET request to the signposted URL. This will (probably) return a 200, which the code will then interpret as a successful POST. This check ensures that the method the response relates to is the same as the one we invoked.
  • Loading branch information
@mhutchinson
mhutchinson committed Apr 10, 2024
1 parent 76c95cd commit 99254b0
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions binary_transparency/firmware/internal/client/client.go
View file
Expand Up @@ -96,6 +96,10 @@ func (c SubmitClient) PublishFirmware(manifest, image []byte) error {
if err != nil {
return fmt.Errorf("failed to publish to log endpoint (%s): %w", u, err)
}
if resp.Request.Method != "POST" {
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections#permanent_redirections
return fmt.Errorf("POST request to %q was converted to %s request to %q", u.String(), resp.Request.Method, resp.Request.URL)
}
if r.StatusCode != http.StatusOK {
return errFromResponse("failed to submit to log", r)
}
Expand Down

0 comments on commit 99254b0

Please sign in to comment.