diff --git a/src/main/java/com/flightstats/hub/channel/ProviderResource.java b/src/main/java/com/flightstats/hub/channel/ProviderResource.java index 03a5973e0..f1429b631 100644 --- a/src/main/java/com/flightstats/hub/channel/ProviderResource.java +++ b/src/main/java/com/flightstats/hub/channel/ProviderResource.java @@ -17,8 +17,10 @@ import javax.ws.rs.Produces; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; +import java.io.IOException; import java.io.InputStream; import java.util.Collection; +import java.util.regex.Pattern; /** * This is a convenience interface for external data Providers. @@ -28,6 +30,8 @@ @Path("/provider") public class ProviderResource { + private static final Pattern CHANNEL_NAME_PATTERN = Pattern.compile("^[a-zA-Z0-9_-]+$"); + private static final String ALLOWED_CONTENT_TYPES = "application/hub"; private final ChannelService channelService; private final ContentRetriever contentRetriever; @@ -80,10 +84,21 @@ public Response insertValue(@HeaderParam("channelName") final String channelName @Path("/bulk") public Response insertBulk(@HeaderParam("channelName") final String channelName, @HeaderParam("Content-Type") final String contentType, - final InputStream data) { + final InputStream data) throws IOException { try { + ensureChannel(channelName); + // Validate channelName + if (channelName == null || !CHANNEL_NAME_PATTERN.matcher(channelName).matches()) { + return Response.status(400).entity("Invalid channel name").build(); + } + + // Validate contentType + if (contentType == null || !ALLOWED_CONTENT_TYPES.contains(contentType)) { + return Response.status(400).entity("Invalid content type").build(); + } + BulkContent content = BulkContent.builder() .isNew(true) .contentType(contentType)