omgnetwork · kalouo · Apr 10, 2020 · Mar 20, 2020 · Mar 24, 2020 · Mar 24, 2020
diff --git a/.gitignore b/.gitignore
@@ -72,3 +72,6 @@ localchain_contract_addresses.env
 # IntelliJ files
 .idea/
 *.iml
+
+#vs code
+.tool_versions
diff --git a/apps/omg_child_chain_rpc/lib/omg_child_chain_rpc/web/controllers/fee.ex b/apps/omg_child_chain_rpc/lib/omg_child_chain_rpc/web/controllers/fee.ex
@@ -18,7 +18,7 @@ defmodule OMG.ChildChainRPC.Web.Controller.Fee do
   """
 
   use OMG.ChildChainRPC.Web, :controller
-  plug(OMG.ChildChainRPC.Plugs.Health)
+  plug(OMG.ChildChainRPC.Web.Plugs.Health)
   alias OMG.ChildChain
 
   def fees_all(conn, params) do

diff --git a/apps/omg_child_chain_rpc/lib/omg_child_chain_rpc/web/controllers/transaction.ex b/apps/omg_child_chain_rpc/lib/omg_child_chain_rpc/web/controllers/transaction.ex
@@ -19,7 +19,7 @@ defmodule OMG.ChildChainRPC.Web.Controller.Transaction do
 
   use OMG.ChildChainRPC.Web, :controller
   # check for health before calling action
-  plug(OMG.ChildChainRPC.Plugs.Health)
+  plug(OMG.ChildChainRPC.Web.Plugs.Health)
   alias OMG.ChildChain
 
   def submit(conn, params) do

diff --git a/apps/omg_child_chain_rpc/lib/omg_child_chain_rpc/web/endpoint.ex b/apps/omg_child_chain_rpc/lib/omg_child_chain_rpc/web/endpoint.ex
@@ -21,8 +21,8 @@ defmodule OMG.ChildChainRPC.Web.Endpoint do
 
   plug(
     Plug.Parsers,
-    parsers: [:urlencoded, :multipart, :json],
-    pass: ["*/*"],
+    parsers: [:json],
+    pass: [],
     json_decoder: Jason
   )
 
@@ -32,5 +32,6 @@ defmodule OMG.ChildChainRPC.Web.Endpoint do
   if Application.get_env(:omg_child_chain_rpc, OMG.ChildChainRPC.Web.Endpoint)[:enable_cors],
     do: plug(CORSPlug)
 
+  plug(OMG.ChildChainRPC.Web.Plugs.MethodParamFilter)
   plug(OMG.ChildChainRPC.Web.Router)
 end
diff --git a/apps/omg_child_chain_rpc/lib/omg_child_chain_rpc/web/plugs/health.ex b/apps/omg_child_chain_rpc/lib/omg_child_chain_rpc/web/plugs/health.ex
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-defmodule OMG.ChildChainRPC.Plugs.Health do
+defmodule OMG.ChildChainRPC.Web.Plugs.Health do
   @moduledoc """
   Observes the systems alarms and prevents calls towards an unhealthy one.
   """

diff --git a/apps/omg_child_chain_rpc/lib/omg_child_chain_rpc/web/plugs/method_param_filter.ex b/apps/omg_child_chain_rpc/lib/omg_child_chain_rpc/web/plugs/method_param_filter.ex
@@ -0,0 +1,40 @@
+# Copyright 2019-2020 OmiseGO Pte Ltd
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+defmodule OMG.ChildChainRPC.Web.Plugs.MethodParamFilter do
+  @moduledoc """
+  Filters the `query_params`, `body_params` and `params` of the conn
+  depending on the HTTP method used.
+
+  For a POST: `query_params` will be ignored and `body_params` will be
+  set to `params`.
+
+  For a GET: `body_params` will be ignored and `query_params` will be
+  set to `params`.
+  """
+
+  def init(args), do: args
+
+  def call(%Plug.Conn{method: "POST", body_params: params} = conn, _) do
+    conn
+    |> Map.put(:query_params, %{})
+    |> Map.put(:params, params)
+  end
+
+  def call(%Plug.Conn{method: "GET", query_params: params} = conn, _) do
+    conn
+    |> Map.put(:body_params, %{})
+    |> Map.put(:params, params)
+  end
+end
diff --git a/apps/omg_child_chain_rpc/test/omg_child_chain_rpc/web/controllers/block_test.exs b/apps/omg_child_chain_rpc/test/omg_child_chain_rpc/web/controllers/block_test.exs
@@ -75,4 +75,23 @@ defmodule OMG.ChildChainRPC.Web.Controller.BlockTest do
              }
            } = TestHelper.rpc_call(:post, "/block.get", missing_param)
   end
+
+  @tag fixtures: [:phoenix_sandbox]
+  test "block.get returns bad request error if hash passed in as query parameter" do
+    valid_hash = "0x" <> String.duplicate("00", 32)
+
+    assert %{
+             "success" => false,
+             "data" => %{
+               "object" => "error",
+               "code" => "operation:bad_request",
+               "messages" => %{
+                 "validation_error" => %{
+                   "parameter" => "hash",
+                   "validator" => ":hex"
+                 }
+               }
+             }
+           } = TestHelper.rpc_call(:post, "/block.get?hash=#{valid_hash}")
+  end
 end
diff --git a/apps/omg_child_chain_rpc/test/omg_child_chain_rpc/web/plugs/health_test.exs b/apps/omg_child_chain_rpc/test/omg_child_chain_rpc/web/plugs/health_test.exs
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-defmodule OMG.ChildChainRPC.Plugs.HealthTest do
+defmodule OMG.ChildChainRPC.Web.Plugs.HealthTest do
   use ExUnitFixtures
   use ExUnit.Case, async: false
 
@@ -35,7 +35,7 @@ defmodule OMG.ChildChainRPC.Plugs.HealthTest do
                 %{
                   "boot_in_progress" => %{
                     "node" => "nonode@nohost",
-                    "reporter" => "Elixir.OMG.ChildChainRPC.Plugs.HealthTest"
+                    "reporter" => "Elixir.OMG.ChildChainRPC.Web.Plugs.HealthTest"
                   }
                 }
               ],
@@ -80,7 +80,7 @@ defmodule OMG.ChildChainRPC.Plugs.HealthTest do
                 %{
                   "ethereum_connection_error" => %{
                     "node" => "nonode@nohost",
-                    "reporter" => "Elixir.OMG.ChildChainRPC.Plugs.HealthTest"
+                    "reporter" => "Elixir.OMG.ChildChainRPC.Web.Plugs.HealthTest"
                   }
                 }
               ],

diff --git a/apps/omg_child_chain_rpc/test/omg_child_chain_rpc/web/plugs/method_param_filter_test.exs b/apps/omg_child_chain_rpc/test/omg_child_chain_rpc/web/plugs/method_param_filter_test.exs
@@ -0,0 +1,44 @@
+# Copyright 2019-2020 OmiseGO Pte Ltd
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+defmodule OMG.ChildChainRPC.Web.Plugs.MethodParamFilterTest do
+  use ExUnit.Case, async: true
+  use Plug.Test
+
+  alias OMG.ChildChainRPC.Web.Plugs.MethodParamFilter
+
+  test "filters query params for POST" do
+    conn =
+      :post
+      |> conn("/some_endpoint?foo=bar", %{"foo_1" => "bar_1"})
+      |> Plug.Parsers.call({[:json], [], nil})
+      |> MethodParamFilter.call([])
+
+    assert conn.body_params == %{"foo_1" => "bar_1"}
+    assert conn.query_params == %{}
+    assert conn.params == %{"foo_1" => "bar_1"}
+  end
+
+  test "filters body params for GET" do
+    conn =
+      :get
+      |> conn("/some_endpoint?foo=bar", %{"foo_1" => "bar_1"})
+      |> Plug.Parsers.call({[:json], [], nil})
+      |> MethodParamFilter.call([])
+
+    assert conn.body_params == %{}
+    assert conn.query_params == %{"foo" => "bar"}
+    assert conn.params == %{"foo" => "bar"}
+  end
+end
diff --git a/apps/omg_watcher_rpc/lib/web/endpoint.ex b/apps/omg_watcher_rpc/lib/web/endpoint.ex
@@ -19,10 +19,14 @@ defmodule OMG.WatcherRPC.Web.Endpoint do
   plug(Plug.RequestId)
   plug(Plug.Logger, log: :debug)
 
+  if code_reloading? do
+    plug(Phoenix.CodeReloader)
+  end
+
   plug(
     Plug.Parsers,
-    parsers: [:urlencoded, :multipart, :json],
-    pass: ["*/*"],
+    parsers: [:json],
+    pass: [],
     json_decoder: Jason
   )
 
@@ -32,5 +36,6 @@ defmodule OMG.WatcherRPC.Web.Endpoint do
   if Application.get_env(:omg_watcher_rpc, OMG.WatcherRPC.Web.Endpoint)[:enable_cors],
     do: plug(CORSPlug)
 
+  plug(OMG.WatcherRPC.Web.Plugs.MethodParamFilter)
   plug(OMG.WatcherRPC.Web.Router)
 end
diff --git a/apps/omg_watcher_rpc/lib/web/plugs/method_param_filter.ex b/apps/omg_watcher_rpc/lib/web/plugs/method_param_filter.ex
@@ -0,0 +1,40 @@
+# Copyright 2019-2020 OmiseGO Pte Ltd
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+defmodule OMG.WatcherRPC.Web.Plugs.MethodParamFilter do
+  @moduledoc """
+  Filters the `query_params`, `body_params` and `params` of the conn
+  depending on the HTTP method used.
+
+  For a POST: `query_params` will be ignored and `body_params` will be
+  set to `params`.
+
+  For a GET: `body_params` will be ignored and `query_params` will be
+  set to `params`.
+  """
+
+  def init(args), do: args
+
+  def call(%Plug.Conn{method: "POST", body_params: params} = conn, _) do
+    conn
+    |> Map.put(:query_params, %{})
+    |> Map.put(:params, params)
+  end
+
+  def call(%Plug.Conn{method: "GET", query_params: params} = conn, _) do
+    conn
+    |> Map.put(:body_params, %{})
+    |> Map.put(:params, params)
+  end
+end
diff --git a/apps/omg_watcher_rpc/lib/web/views/error.ex b/apps/omg_watcher_rpc/lib/web/views/error.ex
@@ -32,6 +32,15 @@ defmodule OMG.WatcherRPC.Web.Views.Error do
     |> WatcherRPCResponse.add_app_infos()
   end
 
+  @doc """
+  Handles invalid input parsing errors, e.g. Content-Type not application/json
+  """
+  def render("415.json", _) do
+    "operation:bad_request"
+    |> Error.serialize("Invalid Content-Type header, use application/json.")
+    |> WatcherRPCResponse.add_app_infos()
+  end
+
   @doc """
   Supports internal server error thrown by Phoenix.
   """

diff --git a/apps/omg_watcher_rpc/test/omg_watcher_rpc/web/controllers/account_test.exs b/apps/omg_watcher_rpc/test/omg_watcher_rpc/web/controllers/account_test.exs
@@ -89,6 +89,25 @@ defmodule OMG.WatcherRPC.Web.Controller.AccountTest do
            } == WatcherHelper.no_success?("account.get_balance", %{"address" => 1_234_567_890})
   end
 
+  @tag fixtures: [:alice, :phoenix_ecto_sandbox]
+  test "account.get_balance returns bad request error if address is passed as a query parameter", %{
+    alice: alice
+  } do
+    %{"address" => address} = body_for(alice)
+
+    assert %{
+             "object" => "error",
+             "code" => "operation:bad_request",
+             "description" => "Parameters required by this operation are missing or incorrect.",
+             "messages" => %{
+               "validation_error" => %{
+                 "parameter" => "address",
+                 "validator" => ":hex"
+               }
+             }
+           } == WatcherHelper.no_success?("account.get_balance?address=#{address}")
+  end
+
   describe "standard_exitable" do
     @tag fixtures: [:phoenix_ecto_sandbox, :db_initialized, :carol]
     test "no utxos are returned for non-existing addresses", %{carol: carol} do

diff --git a/apps/omg_watcher_rpc/test/omg_watcher_rpc/web/controllers/transaction_test.exs b/apps/omg_watcher_rpc/test/omg_watcher_rpc/web/controllers/transaction_test.exs
@@ -188,6 +188,23 @@ defmodule OMG.WatcherRPC.Web.Controller.TransactionTest do
                }
              } == WatcherHelper.no_success?("transaction.get", %{"id" => "0x50e901b98fe3389e32d56166a13a88208b03ea75"})
     end
+
+    @tag fixtures: [:phoenix_ecto_sandbox]
+    test "returns bad request error if transaction hash is passed as query parameter" do
+      txhash = insert(:transaction) |> Map.get(:txhash) |> Encoding.to_hex()
+
+      assert %{
+               "object" => "error",
+               "code" => "operation:bad_request",
+               "description" => "Parameters required by this operation are missing or incorrect.",
+               "messages" => %{
+                 "validation_error" => %{
+                   "parameter" => "id",
+                   "validator" => ":hex"
+                 }
+               }
+             } == WatcherHelper.no_success?("transaction.get?id=#{txhash}")
+    end
   end
 
   describe "/transaction.all" do

diff --git a/apps/omg_watcher_rpc/test/omg_watcher_rpc/web/plugs/method_param_filter_test.exs b/apps/omg_watcher_rpc/test/omg_watcher_rpc/web/plugs/method_param_filter_test.exs
@@ -0,0 +1,44 @@
+# Copyright 2019-2020 OmiseGO Pte Ltd
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+defmodule OMG.WatcherRPC.Web.Plugs.MethodParamFilterTest do
+  use ExUnit.Case, async: true
+  use Plug.Test
+
+  alias OMG.WatcherRPC.Web.Plugs.MethodParamFilter
+
+  test "filters query params for POST" do
+    conn =
+      :post
+      |> conn("/some_endpoint?foo=bar", %{"foo_1" => "bar_1"})
+      |> Plug.Parsers.call({[:json], [], nil})
+      |> MethodParamFilter.call([])
+
+    assert conn.body_params == %{"foo_1" => "bar_1"}
+    assert conn.query_params == %{}
+    assert conn.params == %{"foo_1" => "bar_1"}
+  end
+
+  test "filters body params for GET" do
+    conn =
+      :get
+      |> conn("/some_endpoint?foo=bar", %{"foo_1" => "bar_1"})
+      |> Plug.Parsers.call({[:json], [], nil})
+      |> MethodParamFilter.call([])
+
+    assert conn.body_params == %{}
+    assert conn.query_params == %{"foo" => "bar"}
+    assert conn.params == %{"foo" => "bar"}
+  end
+end
diff --git a/priv/cabbage/apps/itest/lib/child_chain_api/connection.ex b/priv/cabbage/apps/itest/lib/child_chain_api/connection.ex
@@ -24,7 +24,7 @@ if Code.ensure_loaded?(ChildChainAPI.Connection) do
 
     # Add any middleware here (authentication)
     plug(Tesla.Middleware.BaseUrl, "http://localhost:9656")
-    plug(Tesla.Middleware.Headers, [{"user-agent", "Itest-Elixir"}])
+    plug(Tesla.Middleware.Headers, [{"user-agent", "Itest-Elixir"}, {"Content-Type", "application/json"}])
     plug(Tesla.Middleware.EncodeJson, engine: Poison)
 
     @doc """

diff --git a/priv/cabbage/apps/itest/lib/watcher_info_api/connection.ex b/priv/cabbage/apps/itest/lib/watcher_info_api/connection.ex
@@ -24,7 +24,7 @@ if Code.ensure_loaded?(WatcherInfoAPI.Connection) do
 
     # Add any middleware here (authentication)
     plug(Tesla.Middleware.BaseUrl, "http://localhost:7534")
-    plug(Tesla.Middleware.Headers, [{"user-agent", "Itest-Elixir"}])
+    plug(Tesla.Middleware.Headers, [{"user-agent", "Itest-Elixir"}, {"Content-Type", "application/json"}])
     plug(Tesla.Middleware.EncodeJson, engine: Poison)
 
     @doc """

diff --git a/priv/cabbage/apps/itest/lib/watcher_security_critical_api/connection.ex b/priv/cabbage/apps/itest/lib/watcher_security_critical_api/connection.ex
@@ -28,7 +28,7 @@ if Code.ensure_loaded?(WatcherSecurityCriticalAPI.Connection) do
 
     # Add any middleware here (authentication)
     plug(Tesla.Middleware.BaseUrl, "http://localhost:7434")
-    plug(Tesla.Middleware.Headers, [{"user-agent", "Elixir"}])
+    plug(Tesla.Middleware.Headers, [{"user-agent", "Elixir"}, {"Content-Type", "application/json"}])
     plug(Tesla.Middleware.EncodeJson, engine: Poison)
 
     @doc """