prohibit API payloads that represent something other than a JSON object

The JSON serializer for our API uses ``json.loads``, which permits *any* valid JSON (including bare integers, boolean values, etc). Lots of our code, however, assumes that inbound JSON content will be a dict. see: #4756
2026-02-21 21:20:08 -03:30 · 2017-01-20 09:10:19 -05:00
parent e5cfa51410
commit d97ff57cda
2 changed files with 21 additions and 1 deletions
--- a/awx/main/tests/functional/api/test_job_template.py
+++ b/awx/main/tests/functional/api/test_job_template.py
@@ -94,6 +94,23 @@ def test_edit_playbook(patch, job_template_factory, alice):
    }, alice, expect=403)


+@pytest.mark.django_db
+@pytest.mark.parametrize('json_body',
+                         ["abc", True, False, "{\"name\": \"test\"}", 100, .5])
+def test_invalid_json_body(patch, job_template_factory, alice, json_body):
+    objs = job_template_factory('jt', organization='org1')
+    objs.job_template.admin_role.members.add(alice)
+    resp = patch(
+        reverse('api:job_template_detail', args=(objs.job_template.id,)),
+        json_body,
+        alice,
+        expect=400
+    )
+    assert resp.data['detail'] == (
+        u'JSON parse error - not a JSON object'
+    )
+
+
@pytest.mark.django_db
 def test_edit_nonsenstive(patch, job_template_factory, alice):
    objs = job_template_factory('jt', organization='org1', project='prj', inventory='inv', credential='cred')