From 09e8196ed454d2b18328a7166540fd75030645db Mon Sep 17 00:00:00 2001
From: Denis Kirillov <denis@nspcc.ru>
Date: Tue, 20 Sep 2022 16:37:54 +0300
Subject: [PATCH] [#68] Check basic ACL size

Signed-off-by: Denis Kirillov <denis@nspcc.ru>
---
 handlers/containers.go |  4 ++--
 handlers/util.go       | 39 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/handlers/containers.go b/handlers/containers.go
index 20300d7..9a2e1d3 100644
--- a/handlers/containers.go
+++ b/handlers/containers.go
@@ -355,8 +355,8 @@ func createContainer(ctx context.Context, p *pool.Pool, stoken session.Container
 		request.BasicACL = defaultBasicACL
 	}
 
-	var basicACL acl.Basic
-	if err = basicACL.DecodeString(request.BasicACL); err != nil {
+	basicACL, err := decodeBasicACL(request.BasicACL)
+	if err != nil {
 		return cid.ID{}, fmt.Errorf("couldn't parse basic acl: %w", err)
 	}
 
diff --git a/handlers/util.go b/handlers/util.go
index cde81ca..100385e 100644
--- a/handlers/util.go
+++ b/handlers/util.go
@@ -6,11 +6,13 @@ import (
 	"fmt"
 	"math"
 	"strconv"
+	"strings"
 	"time"
 
 	objectv2 "github.com/nspcc-dev/neofs-api-go/v2/object"
 	sessionv2 "github.com/nspcc-dev/neofs-api-go/v2/session"
 	"github.com/nspcc-dev/neofs-rest-gw/gen/models"
+	"github.com/nspcc-dev/neofs-sdk-go/container/acl"
 	"github.com/nspcc-dev/neofs-sdk-go/object"
 	"github.com/nspcc-dev/neofs-sdk-go/pool"
 )
@@ -219,3 +221,40 @@ func formSessionTokenFromHeaders(principal *models.Principal, signature, key *st
 		Verb: verb,
 	}, nil
 }
+
+// decodeBasicACL is the same as DecodeString on acl.Basic but
+// it also checks length for hex formatted acl.
+func decodeBasicACL(input string) (acl.Basic, error) {
+	switch input {
+	case acl.NamePrivate:
+		return acl.Private, nil
+	case acl.NamePrivateExtended:
+		return acl.PrivateExtended, nil
+	case acl.NamePublicRO:
+		return acl.PublicRO, nil
+	case acl.NamePublicROExtended:
+		return acl.PublicROExtended, nil
+	case acl.NamePublicRW:
+		return acl.PublicRW, nil
+	case acl.NamePublicRWExtended:
+		return acl.PublicRWExtended, nil
+	case acl.NamePublicAppend:
+		return acl.PublicAppend, nil
+	case acl.NamePublicAppendExtended:
+		return acl.PublicAppendExtended, nil
+	default:
+		trimmedInput := strings.TrimPrefix(strings.ToLower(input), "0x")
+		if len(trimmedInput) != 8 {
+			return 0, fmt.Errorf("invalid basic ACL size: %s", input)
+		}
+
+		v, err := strconv.ParseUint(trimmedInput, 16, 32)
+		if err != nil {
+			return 0, fmt.Errorf("parse hex: %w", err)
+		}
+
+		var res acl.Basic
+		res.FromBits(uint32(v))
+		return res, nil
+	}
+}