Simplified content-type checks, added error response when an unknown or unsupported content type is specified

Jared Hendrickson · Jared Hendrickson · commit 29ac8375a124 · 2020-10-17T09:36:56.000-06:00
diff --git a/pfSense-pkg-API/files/etc/inc/api/framework/APIModel.inc b/pfSense-pkg-API/files/etc/inc/api/framework/APIModel.inc
@@ -68,13 +68,20 @@ class APIModel {
     }
 
     public function validate() {
+        # Checks API status and requirements
         $this->check_enable();
         $this->check_server_ip();
         $this->check_version();
+
+        # Checks request data
+        $this->check_request_data();
+
+        # Checks authentication and authorization if required
         if ($this->requires_auth) {
             $this->check_authentication();
             $this->check_authorization();
         }
+
         $this->validate_payload();
 
         if (count($this->errors) === 0) {
@@ -152,4 +159,11 @@ class APIModel {
         $this->errors[] = APIResponse\get(6);
     }
 
+    # Check if our requested content-type is supported and parsed data correctly, sets error if not
+    private function check_request_data() {
+        if ($this->initial_data === false) {
+            $this->errors[] = APIResponse\get(11);
+        }
+    }
+
 }
diff --git a/pfSense-pkg-API/files/etc/inc/api/framework/APIResponse.inc b/pfSense-pkg-API/files/etc/inc/api/framework/APIResponse.inc
@@ -81,10 +81,16 @@ function get($id, $data=[], $all=false) {
         ],
         10 => [
             "status" => "server error",
-            "code" => "500",
+            "code" => 500,
             "return" => $id,
             "message" => "Your API request was valid but no actions were specified for this endpoint",
         ],
+        11 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "Specified content type is not supported"
+        ],
         // 1000-1999 reserved for /system API calls
         1000 => [
             "status" => "bad request",
diff --git a/pfSense-pkg-API/files/etc/inc/api/framework/APITools.inc b/pfSense-pkg-API/files/etc/inc/api/framework/APITools.inc
@@ -32,13 +32,20 @@ use Firebase\JWT\JWT;
 
 # Checks our content type header and parses the content accordingly
 function get_request_data() {
-    # Support application/x-www-form-urlencoded content type
-    if (strtolower($_SERVER["HTTP_CONTENT_TYPE"] === "application/x-www-form-urlencoded")) {
-        return $_GET;
-    }
-    # Support application/json content type
-    elseif (strtolower($_SERVER["HTTP_CONTENT_TYPE"] === "application/json")) {
-        return json_decode(file_get_contents('php://input'), true);
+    $content_types = [
+        "application/x-www-form-urlencoded" => $_GET,
+        "application/json" => json_decode(file_get_contents('php://input'), true)
+    ];
+    # If client passed in a static content type via header, attempt to parse data using that type
+    if (!empty($_SERVER["HTTP_CONTENT_TYPE"])) {
+        # Check if content type is supported, if so return corresponding parsed request data
+        if (array_key_exists($_SERVER["HTTP_CONTENT_TYPE"], $content_types)) {
+            return $content_types[$_SERVER["HTTP_CONTENT_TYPE"]];
+        }
+        # Return false if the content type is unknown or unsupported
+        else {
+            return false;
+        }
     }
     # If a static content type was not provided, attempt to determine the content type
     else {
