oracle: check response Content-Type

If not specified everything is allowed. Signed-off-by: Evgeniy Stratonikov <evgeniy@nspcc.ru>
2025-05-08 19:10:30 +00:00 · 2021-07-06 16:20:01 +03:00 · 2021-07-06 16:20:01 +03:00 · 8e9302f40b
commit 8e9302f40b
parent 1853d0c713
6 changed files with 90 additions and 13 deletions
--- a/pkg/core/oracle_test.go
+++ b/pkg/core/oracle_test.go
@ -34,7 +34,8 @@ func getOracleConfig(t *testing.T, bc *Blockchain, w, pass string) oracle.Config
 		Log:     zaptest.NewLogger(t),
 		Network: netmode.UnitTestNet,
 		MainCfg: config.OracleConfiguration{
-			RefreshInterval: time.Second,
+			RefreshInterval:     time.Second,
+			AllowedContentTypes: []string{"application/json"},
 			UnlockWallet: config.Wallet{
 				Path:     path.Join(oracleModulePath, w),
 				Password: pass,
@ -147,6 +148,8 @@ func TestOracle(t *testing.T) {
 	putOracleRequest(t, cs.Hash, bc, "https://get.filter", &flt, "handle", []byte{}, 10_000_000)
 	putOracleRequest(t, cs.Hash, bc, "https://get.filterinv", &flt, "handle", []byte{}, 10_000_000)

+	putOracleRequest(t, cs.Hash, bc, "https://get.invalidcontent", nil, "handle", []byte{}, 10_000_000)
+
 	checkResp := func(t *testing.T, id uint64, resp *transaction.OracleResponse) *state.OracleRequest {
 		req, err := oracleCtr.GetRequestInternal(bc.dao, id)
 		require.NoError(t, err)
@ -262,6 +265,12 @@ func TestOracle(t *testing.T) {
 			})
 		})
 	})
+	t.Run("InvalidContentType", func(t *testing.T) {
+		checkResp(t, 11, &transaction.OracleResponse{
+			ID:   11,
+			Code: transaction.ContentTypeNotSupported,
+		})
+	})
 }

 func TestOracleFull(t *testing.T) {
@ -322,6 +331,7 @@ type (

 	testResponse struct {
 		code int
+		ct   string
 		body []byte
 	}
 )
@ -332,7 +342,10 @@ func (c *httpClient) Do(req *http.Request) (*http.Response, error) {
 	if ok {
 		return &http.Response{
 			StatusCode: resp.code,
-			Body:       newResponseBody(resp.body),
+			Header: http.Header{
+				"Content-Type": {resp.ct},
+			},
+			Body: newResponseBody(resp.body),
 		}, nil
 	}
 	return nil, errors.New("error during request")
@ -343,44 +356,59 @@ func newDefaultHTTPClient() oracle.HTTPClient {
 		responses: map[string]testResponse{
 			"https://get.1234": {
 				code: http.StatusOK,
+				ct:   "application/json",
 				body: []byte{1, 2, 3, 4},
 			},
 			"https://get.4321": {
 				code: http.StatusOK,
+				ct:   "application/json",
 				body: []byte{4, 3, 2, 1},
 			},
 			"https://get.timeout": {
 				code: http.StatusRequestTimeout,
+				ct:   "application/json",
 				body: []byte{},
 			},
 			"https://get.notfound": {
 				code: http.StatusNotFound,
+				ct:   "application/json",
 				body: []byte{},
 			},
 			"https://get.forbidden": {
 				code: http.StatusForbidden,
+				ct:   "application/json",
 				body: []byte{},
 			},
 			"https://private.url": {
 				code: http.StatusOK,
+				ct:   "application/json",
 				body: []byte("passwords"),
 			},
 			"https://get.big": {
 				code: http.StatusOK,
+				ct:   "application/json",
 				body: make([]byte, transaction.MaxOracleResultSize+1),
 			},
 			"https://get.maxallowed": {
 				code: http.StatusOK,
+				ct:   "application/json",
 				body: make([]byte, transaction.MaxOracleResultSize),
 			},
 			"https://get.filter": {
 				code: http.StatusOK,
+				ct:   "application/json",
 				body: []byte(`{"Values":["one", 2, 3],"Another":null}`),
 			},
 			"https://get.filterinv": {
 				code: http.StatusOK,
+				ct:   "application/json",
 				body: []byte{0xFF},
 			},
+			"https://get.invalidcontent": {
+				code: http.StatusOK,
+				ct:   "image/gif",
+				body: []byte{1, 2, 3},
+			},
 		},
 	}
 }