diff --git a/zerver/decorator.py b/zerver/decorator.py index a7c4bc0243..46b395d0f1 100644 --- a/zerver/decorator.py +++ b/zerver/decorator.py @@ -827,11 +827,11 @@ def is_local_addr(addr: str) -> bool: # These views are used by the main Django server to notify the Tornado server # of events. We protect them from the outside world by checking a shared # secret, and also the originating IP (for now). -def authenticate_notify(request: HttpRequest) -> bool: - return ( - is_local_addr(request.META["REMOTE_ADDR"]) - and request.POST.get("secret") == settings.SHARED_SECRET - ) +@has_request_variables +def authenticate_notify( + request: HttpRequest, secret: Optional[str] = REQ("secret", default=None) +) -> bool: + return is_local_addr(request.META["REMOTE_ADDR"]) and secret == settings.SHARED_SECRET def client_is_exempt_from_rate_limiting(request: HttpRequest) -> bool: diff --git a/zerver/tests/test_decorators.py b/zerver/tests/test_decorators.py index 66b3c39936..92f9cecf84 100644 --- a/zerver/tests/test_decorators.py +++ b/zerver/tests/test_decorators.py @@ -1578,6 +1578,17 @@ class TestInternalNotifyView(ZulipTestCase): self.internal_notify(False, request) def test_internal_requests_with_broken_secret(self) -> None: + request = HostRequestMock( + post_data=dict(data="something"), + meta_data=dict(REMOTE_ADDR="127.0.0.1"), + ) + + with self.settings(SHARED_SECRET="random"): + self.assertFalse(authenticate_notify(request)) + with self.assertRaises(AccessDeniedError) as context: + self.internal_notify(True, request) + self.assertEqual(context.exception.http_status_code, 403) + secret = "random" request = HostRequestMock( post_data=dict(secret=secret),