diff --git a/salt/netapi/rest_cherrypy/app.py b/salt/netapi/rest_cherrypy/app.py index 99eb0900e018..121e2589eedf 100644 --- a/salt/netapi/rest_cherrypy/app.py +++ b/salt/netapi/rest_cherrypy/app.py @@ -2178,7 +2178,7 @@ def _is_valid_token(self, auth_token): # than hex, this will raise a ValueError. try: int(auth_token, 16) - except ValueError: + except (TypeError, ValueError): return False # First check if the given token is in our session table; if so it's a diff --git a/tests/integration/netapi/rest_cherrypy/test_app.py b/tests/integration/netapi/rest_cherrypy/test_app.py index 5865510fd7ee..abf3e091afa5 100644 --- a/tests/integration/netapi/rest_cherrypy/test_app.py +++ b/tests/integration/netapi/rest_cherrypy/test_app.py @@ -2,6 +2,7 @@ # Import python libs from __future__ import absolute_import +import os # Import salt libs import salt.utils.json @@ -163,6 +164,32 @@ def test_run_wrong_token(self): }) assert response.status == '401 Unauthorized' + def test_run_pathname_token(self): + ''' + Test the run URL with path that exists in token + ''' + cmd = dict(self.low, **{'token': os.path.join('etc', 'passwd')}) + body = urlencode(cmd) + + request, response = self.request('/run', method='POST', body=body, + headers={ + 'content-type': 'application/x-www-form-urlencoded' + }) + assert response.status == '401 Unauthorized' + + def test_run_pathname_not_exists_token(self): + ''' + Test the run URL with path that does not exist in token + ''' + cmd = dict(self.low, **{'token': os.path.join('tmp', 'doesnotexist')}) + body = urlencode(cmd) + + request, response = self.request('/run', method='POST', body=body, + headers={ + 'content-type': 'application/x-www-form-urlencoded' + }) + assert response.status == '401 Unauthorized' + class TestWebhookDisableAuth(cptc.BaseRestCherryPyTest):