From 71551fa055c92c62d965d59eeea95e7af111b4c9 Mon Sep 17 00:00:00 2001 From: dee077 Date: Sun, 15 Dec 2024 18:11:11 +0530 Subject: [PATCH] [freeradius] Add max_length validation for called_station_id in PostAuthSerializer #467 Updated the PostAuthSerializer to include a `max_length` attribute of 50 for the `called_station_id` field. This ensures that requests exceeding the character limit return an HTTP 400 error with an appropriate error message. Fixes #467 --- openwisp_radius/api/serializers.py | 4 +++- .../tests/test_api/test_freeradius_api.py | 12 ++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/openwisp_radius/api/serializers.py b/openwisp_radius/api/serializers.py index 34dafe74..747e0fbd 100644 --- a/openwisp_radius/api/serializers.py +++ b/openwisp_radius/api/serializers.py @@ -120,7 +120,9 @@ class RadiusPostAuthSerializer(serializers.ModelSerializer): allow_blank=True, style={'input_type': 'password'}, ) - called_station_id = serializers.CharField(required=False, allow_blank=True) + called_station_id = serializers.CharField( + required=False, allow_blank=True, max_length=50 + ) calling_station_id = serializers.CharField(required=False, allow_blank=True) def validate(self, data): diff --git a/openwisp_radius/tests/test_api/test_freeradius_api.py b/openwisp_radius/tests/test_api/test_freeradius_api.py index 6616e42d..d2dc745d 100644 --- a/openwisp_radius/tests/test_api/test_freeradius_api.py +++ b/openwisp_radius/tests/test_api/test_freeradius_api.py @@ -298,6 +298,18 @@ def test_postauth_400(self): self.assertEqual(RadiusPostAuth.objects.all().count(), 0) self.assertEqual(response.status_code, 400) + def test_postauth_called_station_id_max_length_50_exceed_400(self): + params = {'called_station_id': 'C0-4A-00-EE-D1-0D:' + 'A' * 50} + params = self._get_postauth_params(**params) + response = self.client.post( + reverse('radius:postauth'), params, HTTP_AUTHORIZATION=self.auth_header + ) + self.assertEqual(response.status_code, 400) + self.assertEqual( + response.data['called_station_id'][0], + 'Ensure this field has no more than 50 characters.', + ) + @capture_any_output() def test_postauth_no_token_403(self): response = self.client.post(reverse('radius:postauth'), {'username': 'tester'})