ikke godta channelid som ikke er på forventet format

Author: tanettrimas

core/src/main/kotlin/no/javazone/feedback/setupRouting.kt

@@ -56,6 +56,9 @@ fun Application.setupRouting() {
             get("/{channelId}") {
                 val channelId = call.parameters["channelId"]
                     ?: return@get call.respond(HttpStatusCode.NotFound)
+                if (channelId.length != 4) {
+                    return@get call.respond(HttpStatusCode.BadRequest)
+                }
                 val channel = feedbackAdapter.findChannel(channelId)
                     ?: return@get call.respond(HttpStatusCode.NotFound, "Channel not found")
                 call.respondHtml { feedbackPage(channel) }

core/src/test/kotlin/no/javazone/feedback/FeedbackEndpointsTest.kt

@@ -279,11 +279,33 @@ class FeedbackEndpointsTest {
             module(TestDatabase.config())
         }
 
-        val response = client.get("/non-existent-channel")
+        val response = client.get("/session/ZZZZ")
 
         assertEquals(HttpStatusCode.NotFound, response.status)
     }
 
+    @Test
+    fun `test session endpoint returns bad request for channel id longer than four characters`() = testApplication {
+        application {
+            module(TestDatabase.config())
+        }
+
+        val response = client.get("/session/ABCDE")
+
+        assertEquals(HttpStatusCode.BadRequest, response.status)
+    }
+
+    @Test
+    fun `test session endpoint returns bad request for channel id shorter than four characters`() = testApplication {
+        application {
+            module(TestDatabase.config())
+        }
+
+        val response = client.get("/session/ABC")
+
+        assertEquals(HttpStatusCode.BadRequest, response.status)
+    }
+
     @Test
     fun `test thank you page returns HTML fragment`() = testApplication {
         application {