Added socket_id validation

pusher/pusher.py

@@ -5,7 +5,7 @@
 from pusher.http import GET, POST, Request, request_method
 from pusher.signature import sign, verify
 from pusher.requests import RequestsBackend
-from pusher.util import ensure_text, validate_channel, app_id_re, pusher_url_re, channel_name_re
+from pusher.util import ensure_text, validate_channel, validate_socket_id, app_id_re, pusher_url_re, channel_name_re
 
 import collections
 import hashlib
@@ -153,7 +153,7 @@ def trigger(self, channels, event_name, data, socket_id=None):
             'data': data
         }
         if socket_id:
-            params['socket_id'] = ensure_text(socket_id, "socket_id")
+            params['socket_id'] = validate_socket_id(socket_id)
 
         return Request(self, POST, "/apps/%s/events" % self.app_id, params)
 
@@ -208,7 +208,7 @@ def authenticate(self, channel, socket_id, custom_data=None):
         if not channel_name_re.match(channel):
             raise ValueError('Channel should be a valid channel, got: %s' % channel)
 
-        socket_id = ensure_text(socket_id, "socket_id")
+        socket_id = validate_socket_id(socket_id)
 
         if custom_data:
             custom_data = json.dumps(custom_data, cls=self._json_encoder)

pusher/util.py

@@ -11,6 +11,7 @@
 channel_name_re = re.compile('^[-a-zA-Z0-9_=@,.;]+$')
 app_id_re       = re.compile('^[0-9]+$')
 pusher_url_re   = re.compile('(http|https)://(.*):(.*)@(.*)/apps/([0-9]+)')
+socket_id_re    = re.compile('\d+\.\d+')
 
 if sys.version_info < (3,):
     text = 'a unicode string'
@@ -34,3 +35,11 @@ def validate_channel(channel):
         raise ValueError("Invalid Channel: %s" % channel)
 
     return channel
+
+def validate_socket_id(socket_id):
+    socket_id = ensure_text(socket_id, "socket_id")
+
+    if not socket_id_re.match(socket_id):
+        raise ValueError("Invalid socket ID: %s" % socket_id)
+
+    return socket_id

pusher_tests/test_pusher.py

@@ -105,10 +105,10 @@ def test_authenticate_for_private_channels(self):
         pusher = Pusher.from_url(u'http://foo:bar@host/apps/4')
 
         expected = {
-            u'auth': u"foo:076740bd063f0299742a73bc5aac88900e5f35cb0185a1facbf45d326b5b204b"
+            u'auth': u"foo:89955e77e1b40e33df6d515a5ecbba86a01dc816a5b720da18a06fd26f7d92ff"
         }
 
-        self.assertEqual(pusher.authenticate(u'private-channel', u'34523'), expected)
+        self.assertEqual(pusher.authenticate(u'private-channel', u'345.23'), expected)
 
     def test_authenticate_for_presence_channels(self):
         pusher = Pusher.from_url(u'http://foo:bar@host/apps/4')
@@ -121,12 +121,12 @@ def test_authenticate_for_presence_channels(self):
         }
 
         expected = {
-            u'auth': u"foo:fbbc6d8acc85fc807bba060e2df45aba33deb8ad44cbee1633675b3ce73f4817",
+            u'auth': u"foo:e80ba6439492c2113022c39297a87a948de14061cc67b5788e045645a68b8ccd",
             u'channel_data': u"{\"user_id\":\"fred\",\"user_info\":{\"key\":\"value\"}}"
         }
 
         with mock.patch('json.dumps', return_value=expected[u'channel_data']) as dumps_mock:
-            actual = pusher.authenticate(u'presence-channel', u'34543245', custom_data)
+            actual = pusher.authenticate(u'presence-channel', u'345.43245', custom_data)
 
         self.assertEqual(actual, expected)
         dumps_mock.assert_called_once_with(custom_data, cls=None)
@@ -257,9 +257,9 @@ def test_custom_json_decoder(self):
     def test_custom_json_encoder(self):
         expected = {
             u'channel_data': '{"money": "1.32"}',
-            u'auth': u'key:75c6044a30f2ccd9952c48cfcf149cb0a4843bf38bab47545fb953acd62bd0c9'
+            u'auth': u'key:7f2ae5922800a20b9615543ce7c8e7d1c97115d108939410825ea690f308a05f'
         }
-        data = self.pusher.authenticate("presence-c1", "1", {"money": Decimal("1.32")})
+        data = self.pusher.authenticate("presence-c1", "1.1", {"money": Decimal("1.32")})
         self.assertEqual(expected, data)
 
 if __name__ == '__main__':