From 7dfdec3da30108894461d1b695b65a8080ccd06f Mon Sep 17 00:00:00 2001
From: Simon Warta <simon@warta.it>
Date: Tue, 4 Aug 2020 11:23:29 +0200
Subject: [PATCH] Improve type checks of RequestParser.parseCreditBody

---
 packages/faucet/src/api/requestparser.spec.ts | 12 ++++++++++++
 packages/faucet/src/api/requestparser.ts      | 10 ++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/packages/faucet/src/api/requestparser.spec.ts b/packages/faucet/src/api/requestparser.spec.ts
index 7351202993..aeb53e38c8 100644
--- a/packages/faucet/src/api/requestparser.spec.ts
+++ b/packages/faucet/src/api/requestparser.spec.ts
@@ -7,6 +7,18 @@ describe("RequestParser", () => {
   });
 
   it("throws for invalid credit requests", () => {
+    // body not a dictionary
+    {
+      expect(() => RequestParser.parseCreditBody("foo")).toThrowError(/Request body must be a dictionary./i);
+      expect(() => RequestParser.parseCreditBody(null)).toThrowError(/Request body must be a dictionary./i);
+      expect(() => RequestParser.parseCreditBody(42)).toThrowError(/Request body must be a dictionary./i);
+      expect(() => RequestParser.parseCreditBody([])).toThrowError(/Request body must be a dictionary./i);
+      expect(() => RequestParser.parseCreditBody(true)).toThrowError(/Request body must be a dictionary./i);
+      expect(() => RequestParser.parseCreditBody(undefined)).toThrowError(
+        /Request body must be a dictionary./i,
+      );
+    }
+
     // address unset
     {
       const body = { ticker: "TKN" };
diff --git a/packages/faucet/src/api/requestparser.ts b/packages/faucet/src/api/requestparser.ts
index db938f7349..77dda0f7f5 100644
--- a/packages/faucet/src/api/requestparser.ts
+++ b/packages/faucet/src/api/requestparser.ts
@@ -1,3 +1,5 @@
+import { isNonNullObject } from "@cosmjs/utils";
+
 import { HttpError } from "./httperror";
 
 export interface CreditRequestBodyData {
@@ -8,8 +10,12 @@ export interface CreditRequestBodyData {
 }
 
 export class RequestParser {
-  public static parseCreditBody(body: any): CreditRequestBodyData {
-    const { address, ticker } = body;
+  public static parseCreditBody(body: unknown): CreditRequestBodyData {
+    if (!isNonNullObject(body) || Array.isArray(body)) {
+      throw new HttpError(400, "Request body must be a dictionary.");
+    }
+
+    const { address, ticker } = body as any;
 
     if (typeof address !== "string") {
       throw new HttpError(400, "Property 'address' must be a string.");