Fix not checking if the ID is valid when duplicating a resource

plone · Dec 12, 2022 · 64e3676 · 64e3676
1 parent 6ee373b
commit 64e3676
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 0 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -4,6 +4,8 @@ CHANGELOG
 6.5.0 (unreleased)
 ------------------
 
+- Fix not checking if the ID is valid when duplicating a resource
+  [masipcat]
 - Fix content.async_get() catches KeyError exceptions unrelated to txn.get_child()
 - Deps: replace aioredis with redis-py
 - Deps: updated flake8 so it won't depend on 'importlib-metadata<5'

diff --git a/guillotina/content.py b/guillotina/content.py
@@ -710,6 +710,10 @@ async def duplicate(
             count += 1
             new_id = f"{context.id}-duplicate-{count}"
 
+    id_checker = get_adapter(context, IIDChecker)
+    if not isinstance(new_id, str) or not await id_checker(new_id, context.type_name):
+        raise PreconditionFailed(new_id, "Invalid id")
+
     from guillotina.content import create_content_in_container
 
     creators = context.creators

diff --git a/guillotina/tests/test_api.py b/guillotina/tests/test_api.py
@@ -609,6 +609,13 @@ async def test_duplicate_content(container_requester):
         )
         folder_uid = response["@uid"]
 
+        _, status = await requester(
+            "POST",
+            "/db/guillotina/foobar1/@duplicate",
+            data=json.dumps({"new_id": "inva/id_path", "destination": "/folder"}),
+        )
+        assert status == 412
+
         await requester(
             "POST",
             "/db/guillotina/foobar1/@duplicate",