Stricter accept header parsing. Throw on malformed input, don't throw on no acceptable media types

Woazboat · mmd-osm · commit 71acb52edafb · 2025-03-01T15:06:12.000+01:00
diff --git a/src/choose_formatter.cpp b/src/choose_formatter.cpp
@@ -30,6 +30,7 @@
 #include <string>
 #include <vector>
 #include <algorithm>
+#include <charconv>
 
 #include <fmt/core.h>
 
@@ -45,10 +46,6 @@ AcceptHeader::AcceptHeader(const std::string &header) {
 
   for (const auto &acceptedType : acceptedTypes)
     mapping[acceptedType.mimeType] = acceptedType.q;
-
-  if (mapping.empty()) {
-    throw http::bad_request("Accept header could not be parsed.");
-  }
 }
 
 [[nodiscard]] bool AcceptHeader::is_acceptable(mime::type mt) const {
@@ -91,13 +88,16 @@ std::vector<AcceptHeader::AcceptElement> AcceptHeader::parse(const std::string &
   // Split by comma to get individual media types
   auto items = split_trim(data, ',');
 
+  if (items.empty())
+    throw http::bad_request("Invalid empty accept header");
+
   for (const auto &item : items) {
     // Split each item by semicolon to separate media type from
     // parameters
     auto elems = split_trim(item, ';');
 
     if (elems.empty()) {
-      continue;
+      throw http::bad_request("Malformed accept header");
     }
 
     // Treat Accept: * as Accept: */*
@@ -106,8 +106,13 @@ std::vector<AcceptHeader::AcceptElement> AcceptHeader::parse(const std::string &
 
     // Split the media type into type and subtype
     auto mime_parts = split_trim(elems[0], '/');
-    if (mime_parts.size() != 2 || mime_parts[1].empty()) {
-      continue;
+    if (mime_parts.size() != 2 || mime_parts[0].empty() || mime_parts[1].empty()) {
+      throw http::bad_request("Invalid accept header media type");
+    }
+
+    // */subtype is not allowed
+    if (mime_parts[0] == "*" && mime_parts[1] != "*") {
+      throw http::bad_request("Invalid wildcard in accept header media type");
     }
 
     // figure out the mime::type from the string
@@ -125,14 +130,21 @@ std::vector<AcceptHeader::AcceptElement> AcceptHeader::parse(const std::string &
     // Parse parameters
     for (size_t i = 1; i < elems.size(); ++i) {
       auto param_parts = split_trim(elems[i], '=');
-      if (param_parts.size() != 2)
-        continue;
+      if (param_parts.size() != 2) {
+        throw http::bad_request("Malformed parameter in accept header");
+      }
 
       if (param_parts[0] == "q") {
-        try {
-          acceptElement.q = std::stod(std::string{param_parts[1]});
-        } catch (const std::exception &) {
-          acceptElement.q = 0.0;
+        auto [ptr, ec] = std::from_chars(param_parts[1].begin(), 
+                                         param_parts[1].end(), 
+                                         acceptElement.q, 
+                                         std::chars_format::fixed);
+        if (ec != std::errc() || 
+            ptr != param_parts[1].end() ||
+            !std::isfinite(acceptElement.q) || 
+            acceptElement.q < 0 || 
+            acceptElement.q > 1) {
+          throw http::bad_request("Invalid q parameter value in accept header");
         }
       } else {
         acceptElement.params[std::string{param_parts[0]}] = std::string{param_parts[1]};
diff --git a/test/test_http.cpp b/test/test_http.cpp
@@ -109,9 +109,66 @@ TEST_CASE("http_check_accept_header_parsing", "[http]") {
     CHECK(header.is_acceptable(mime::type::text_plain) == true);
   }
 
+  SECTION("test: wildcard header") {
+    AcceptHeader header{"*/*"};
+    CHECK(header.is_acceptable(mime::type::any_type) == true);
+    CHECK(header.is_acceptable(mime::type::application_json) == true);
+    CHECK(header.is_acceptable(mime::type::application_xml) == true);
+    CHECK(header.is_acceptable(mime::type::text_plain) == true);
+  }
+
+  SECTION("test: bug-compatible wildcard header ") {
+    AcceptHeader header{"*"};
+    CHECK(header.is_acceptable(mime::type::any_type) == true);
+    CHECK(header.is_acceptable(mime::type::application_json) == true);
+    CHECK(header.is_acceptable(mime::type::application_xml) == true);
+    CHECK(header.is_acceptable(mime::type::text_plain) == true);
+  }
+
   SECTION("test: not supported mime types") {
-    REQUIRE_THROWS_AS(AcceptHeader{"audio/*; q=0.2, audio/basic"}, http::bad_request);
-    REQUIRE_THROWS_AS(AcceptHeader{"text, text/html"}, http::bad_request);
+    CHECK_NOTHROW(AcceptHeader{"audio/*; q=0.2, audio/basic"});
+    CHECK_NOTHROW(AcceptHeader{"text/html"});
+  }
+
+  SECTION("test: invalid accept header format") {
+    CHECK_THROWS_AS(AcceptHeader{""}, http::bad_request);
+    CHECK_THROWS_AS(AcceptHeader{"/"}, http::bad_request);
+    CHECK_THROWS_AS(AcceptHeader{"*/"}, http::bad_request);
+    CHECK_THROWS_AS(AcceptHeader{"foo/"}, http::bad_request);
+    CHECK_THROWS_AS(AcceptHeader{"/*"}, http::bad_request);
+    CHECK_THROWS_AS(AcceptHeader{"/foo"}, http::bad_request);
+    CHECK_THROWS_AS(AcceptHeader{"*/foo"}, http::bad_request);
+    CHECK_THROWS_AS(AcceptHeader{"text"}, http::bad_request);
+  }
+
+  SECTION("test: accept header params") {
+    CHECK_NOTHROW(AcceptHeader{"application/xml;q=0.5"});
+    CHECK_NOTHROW(AcceptHeader{"application/xml;baz=abc;bat=123"});
+    CHECK_NOTHROW(AcceptHeader{"application/xml;baz=abc;bat=123, application/json; param1=1; param2=2"});
+    CHECK_NOTHROW(AcceptHeader{"foo/bar;q=0.5; accept-extension-param1=abcd123; exptaram=%653"});
+    CHECK_NOTHROW(AcceptHeader{"text/html, application/xhtml+xml, application/xml;q=0.9, image/webp, */*;q=0.8"});
+    CHECK_NOTHROW(AcceptHeader{"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"});
+    CHECK_NOTHROW(AcceptHeader{"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8"});
+  }
+
+  SECTION("test: invalid accept header q value") {
+    CHECK_THROWS_AS(AcceptHeader{"application/xml;q=foobar"}, http::bad_request);
+    CHECK_THROWS_AS(AcceptHeader{"application/xml;q="}, http::bad_request);
+    CHECK_THROWS_AS(AcceptHeader{"application/xml;q=123456"}, http::bad_request);
+    CHECK_THROWS_AS(AcceptHeader{"application/xml;q=-123456"}, http::bad_request);
+    CHECK_THROWS_AS(AcceptHeader{"application/xml;q=1.1"}, http::bad_request);
+    CHECK_THROWS_AS(AcceptHeader{"application/xml;q=-0.1"}, http::bad_request);
+    CHECK_THROWS_AS(AcceptHeader{"application/xml;q=NAN"}, http::bad_request);
+    CHECK_THROWS_AS(AcceptHeader{"application/xml;q=-NAN"}, http::bad_request);
+    CHECK_THROWS_AS(AcceptHeader{"application/xml;q=INF"}, http::bad_request);
+    CHECK_THROWS_AS(AcceptHeader{"application/xml;q=INFINITY"}, http::bad_request);
+    CHECK_THROWS_AS(AcceptHeader{"application/xml;q=-INF"}, http::bad_request);
+    CHECK_THROWS_AS(AcceptHeader{"application/xml;q=-INFINITY"}, http::bad_request);
+    CHECK_THROWS_AS(AcceptHeader{"application/xml;q=0x1"}, http::bad_request);
+    CHECK_THROWS_AS(AcceptHeader{"application/xml;q=0x0"}, http::bad_request);
+    CHECK_THROWS_AS(AcceptHeader{"application/xml;q=0b1"}, http::bad_request);
+    CHECK_THROWS_AS(AcceptHeader{"application/xml;q=0.5abc"}, http::bad_request);
+    CHECK_THROWS_AS(AcceptHeader{"application/xml;q=abc0.5"}, http::bad_request);
   }
 
   SECTION("test: application/json") {
