Merge pull request #3575 from VaishnaviHire/add_content_type

Validate Content-Type Header for api POST requests
2025-10-15 14:03:02 +00:00 · 2021-09-01 10:16:39 +02:00
parent 2bc3a22acc 44988b626e
commit 12c6ab4ca1
2 changed files with 56 additions and 5 deletions
--- a/jupyterhub/tests/test_api.py
+++ b/jupyterhub/tests/test_api.py
@@ -65,7 +65,7 @@ async def test_auth_api(app):
    assert r.status_code == 403


-async def test_referer_check(app):
+async def test_cors_checks(app):
    url = ujoin(public_host(app), app.hub.base_url)
    host = urlparse(url).netloc
    # add admin user
@@ -110,6 +110,32 @@ async def test_referer_check(app):
    )
    assert r.status_code == 200

+    r = await api_request(
+        app,
+        'users',
+        method='post',
+        data='{}',
+        headers={
+            "Authorization": "",
+            "Content-Type": "text/plain",
+        },
+        cookies=cookies,
+    )
+    assert r.status_code == 403
+
+    r = await api_request(
+        app,
+        'users',
+        method='post',
+        data='{}',
+        headers={
+            "Authorization": "",
+            "Content-Type": "application/json; charset=UTF-8",
+        },
+        cookies=cookies,
+    )
+    assert r.status_code == 400  # accepted, but invalid
+

 # --------------
 # User API tests