From: Charles-Henri Bruyand Date: Wed, 16 May 2018 15:02:02 +0000 (+0200) Subject: auth-api: restrict creation of OPT and TSIG rrsets X-Git-Tag: dnsdist-1.3.1~90^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a53b24d006304e00d9c865629f6f0de7e30afbc2;p=thirdparty%2Fpdns.git auth-api: restrict creation of OPT and TSIG rrsets --- diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc index d86c044f47..518360e11b 100644 --- a/pdns/ws-auth.cc +++ b/pdns/ws-auth.cc @@ -1646,6 +1646,10 @@ static void patchZone(HttpRequest* req, HttpResponse* resp) { if (!qname.isPartOf(zonename) && qname != zonename) throw ApiException("RRset "+qname.toString()+" IN "+qtype.getName()+": Name is out of zone"); + if (qtype.getCode() == QType::OPT || qtype.getCode() == QType::TSIG) { + throw ApiException("RRset "+qname.toString()+" IN "+stringFromJson(rrset, "type")+": invalid type given"); + } + bool replace_records = rrset["records"].is_array(); bool replace_comments = rrset["comments"].is_array(); diff --git a/regression-tests.api/test_Zones.py b/regression-tests.api/test_Zones.py index 250d8bafed..a4a3ffcadb 100644 --- a/regression-tests.api/test_Zones.py +++ b/regression-tests.api/test_Zones.py @@ -938,6 +938,29 @@ fred IN A 192.168.0.4 data = self.session.get(self.url("/api/v1/servers/localhost/zones/" + name)).json() self.assertEquals(get_rrset(data, name, 'MX')['records'], rrset['records']) + def test_zone_rr_update_opt(self): + name, payload, zone = self.create_zone() + # do a replace (= update) + rrset = { + 'changetype': 'replace', + 'name': name, + 'type': 'OPT', + 'ttl': 3600, + 'records': [ + { + "content": "9", + "disabled": False + } + ] + } + payload = {'rrsets': [rrset]} + r = self.session.patch( + self.url("/api/v1/servers/localhost/zones/" + name), + data=json.dumps(payload), + headers={'content-type': 'application/json'}) + self.assertEquals(r.status_code, 422) + self.assertIn('OPT: invalid type given', r.json()['error']) + def test_zone_rr_update_multiple_rrsets(self): name, payload, zone = self.create_zone() rrset1 = {