Validate device handle format.

test/test_api.py

@@ -128,6 +128,23 @@ def test_get_device_descriptor_and_cert(self):
         ).data, default_backend())
         self.assertEqual(CERT, cert.public_bytes(Encoding.DER))
 
+    def test_get_invalid_device(self):
+        resp = self.app.get('/foouser/' + ('ab' * 16),
+                            environ_base={'REMOTE_USER': 'fooclient'}
+                            )
+        self.assertEqual(resp.status_code, 404)
+
+        self.do_register(SoftU2FDevice())
+        resp = self.app.get('/foouser/' + ('ab' * 16),
+                            environ_base={'REMOTE_USER': 'fooclient'}
+                            )
+        self.assertEqual(resp.status_code, 404)
+
+        resp = self.app.get('/foouser/InvalidHandle',
+                            environ_base={'REMOTE_USER': 'fooclient'}
+                            )
+        self.assertEqual(resp.status_code, 400)
+
     def test_delete_user(self):
         self.do_register(SoftU2FDevice())
         self.do_register(SoftU2FDevice())

u2fval/view.py

@@ -16,6 +16,7 @@
 from six.moves.urllib.parse import unquote
 import json
 import os
+import re
 
 
 if app.config['USE_MEMCACHED']:
@@ -327,15 +328,19 @@ def sign(user_id):
         return jsonify(_sign_request(user_id, challenge, handles, properties))
 
 
+_HANDLE_PATTERN = re.compile(r'^[a-f0-9]{32}$')
+
+
 @app.route('/<user_id>/<handle>', methods=['GET', 'POST', 'DELETE'])
 def device(user_id, handle):
+    if _HANDLE_PATTERN.match(handle) is None:
+        raise exc.BadInputException('Invalid device handle: ' + handle)
+
     user = get_user(user_id)
-    if user is None:
-        raise exc.NotFoundException('Device not found')
     try:
         dev = user.devices[handle]
-    except KeyError:
-        raise exc.BadInputException('Invalid device handle: ' + handle)
+    except (AttributeError, KeyError):
+        raise exc.NotFoundException('Device not found')
 
     if request.method == 'DELETE':
         if dev is not None: