added transaction ID validation

giantswarm · xh3b4sd · Jan 31, 2017 · Jan 31, 2017 · Jan 31, 2017 · Jan 31, 2017
commit e2e942c5d4f93d8d433653af1ecf8d54434a686b
diff --git a/server/server.go b/server/server.go
@@ -28,12 +28,6 @@ import (
 	transactiontracked "github.com/giantswarm/microkit/transaction/context/tracked"
 )
 
-const (
-	// TransactionIDHeader is the canonical representation of the transaction ID
-	// HTTP header field.
-	TransactionIDHeader = "X-Transaction-ID"
-)
-
 // Config represents the configuration used to create a new server object.
 type Config struct {
 	// Dependencies.
@@ -493,15 +487,21 @@ func (s *server) newRequestContext(w http.ResponseWriter, r *http.Request) (cont
 	ctx = transactiontracked.NewContext(ctx, false)
 
 	transactionID := r.Header.Get(TransactionIDHeader)
-	if transactionID != "" {
-		ctx = transactionid.NewContext(ctx, transactionID)
+	if transactionID == "" {
+		return ctx, nil
+	}
 
-		exists, err := s.transactionResponder.Exists(ctx, transactionID)
-		if err != nil {
-			return nil, microerror.MaskAny(err)
-		}
-		ctx = transactiontracked.NewContext(ctx, exists)
+	if !IsValidTransactionID(transactionID) {
+		return nil, microerror.MaskAnyf(invalidTransactionIDError, "does not match %s", TransactionIDRegEx.String())
+	}
+
+	ctx = transactionid.NewContext(ctx, transactionID)
+
+	exists, err := s.transactionResponder.Exists(ctx, transactionID)
+	if err != nil {
+		return nil, microerror.MaskAny(err)
 	}
+	ctx = transactiontracked.NewContext(ctx, exists)
 
 	return ctx, nil
 }

diff --git a/server/transaction.go b/server/transaction.go
@@ -0,0 +1,24 @@
+package server
+
+import (
+	"regexp"
+)
+
+const (
+	// TransactionIDHeader is the canonical representation of the transaction ID
+	// HTTP header field.
+	TransactionIDHeader = "X-Transaction-ID"
+)
+
+var (
+	// TransactionIDRegEx represents a regular expression used to validate the
+	// scheme of transaction IDs. Transaction IDs provided via HTTP headers can be
+	// validated using this.
+	TransactionIDRegEx = regexp.MustCompile(`^[A-Za-z0-9][A-Za-z0-9-]{30,62}[A-Za-z0-9]$`)
+)
+
+// IsValidTransactionID is a convenience method to validate a transaction ID.
+// Internally TransactionIDRegEx is used.
+func IsValidTransactionID(transactionID string) bool {
+	return TransactionIDRegEx.MatchString(transactionID)
+}
diff --git a/server/transaction_test.go b/server/transaction_test.go
@@ -0,0 +1,56 @@
+package server
+
+import (
+	"testing"
+)
+
+func Test_Transaction_IDFormat(t *testing.T) {
+	testCases := []struct {
+		TransactionID string
+		Valid         bool
+	}{
+		{
+			TransactionID: "",
+			Valid:         false,
+		},
+		{
+			TransactionID: "foo",
+			Valid:         false,
+		},
+		{
+			TransactionID: "d.99ab4af-ddc7-4c7b-8e2b-1cdef5b129c7",
+			Valid:         false,
+		},
+		{
+			TransactionID: "-99ab4af-ddc7-4c7b-8e2b-1cdef5b129c7",
+			Valid:         false,
+		},
+		{
+			TransactionID: "d99ab4af-ddc7-4c7b-8e2b-1cdef5b129c-",
+			Valid:         false,
+		},
+		{
+			TransactionID: "d99ab4af-ddc7-4c7b-8e2b-1cdef5b129c7",
+			Valid:         true,
+		},
+		{
+			TransactionID: "a1e0d43b-fea2-4240-84a7-7abdffca1999",
+			Valid:         true,
+		},
+		{
+			TransactionID: "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
+			Valid:         true,
+		},
+		{
+			TransactionID: "00000000-0000-0000-0000-000000000000",
+			Valid:         true,
+		},
+	}
+
+	for _, testCase := range testCases {
+		isValid := IsValidTransactionID(testCase.TransactionID)
+		if isValid != testCase.Valid {
+			t.Fatal("expected", testCase.Valid, "got", isValid)
+		}
+	}
+}