From dcdd33287c36a89f4f510e4f46a56bf7af3c6007 Mon Sep 17 00:00:00 2001
From: Teodora Sechkova <tsechkova@vmware.com>
Date: Tue, 8 Jun 2021 18:23:11 +0300
Subject: [PATCH] Add basic input validation to {Meta,Target}File

Add basic checks for allowed input values during
objects' serialization.

Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
---
 tuf/api/metadata.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/tuf/api/metadata.py b/tuf/api/metadata.py
index d6ec17843a..82b7e74e5e 100644
--- a/tuf/api/metadata.py
+++ b/tuf/api/metadata.py
@@ -719,6 +719,13 @@ def from_dict(cls, meta_dict: Dict[str, Any]) -> "MetaFile":
         version = meta_dict.pop("version")
         length = meta_dict.pop("length", None)
         hashes = meta_dict.pop("hashes", None)
+
+        # Do some basic input validation
+        if version <= 0:
+            raise ValueError(f"Metafile version must be > 0, got {version}")
+        if length is not None and length <= 0:
+            raise ValueError(f"Metafile length must be > 0, got {length}")
+
         # All fields left in the meta_dict are unrecognized.
         return cls(version, length, hashes, meta_dict)
 
@@ -1019,6 +1026,13 @@ def from_dict(cls, target_dict: Dict[str, Any]) -> "TargetFile":
         """Creates TargetFile object from its dict representation."""
         length = target_dict.pop("length")
         hashes = target_dict.pop("hashes")
+
+        # Do some basic validation checks
+        if length <= 0:
+            raise ValueError(f"Targetfile length must be > 0, got {length}")
+        if not hashes:
+            raise ValueError("Missing targetfile hashes")
+
         # All fields left in the target_dict are unrecognized.
         return cls(length, hashes, target_dict)