only allow calls to api endpoints

Author: benPearce1

pkg/cmd/api/api.go

@@ -4,8 +4,10 @@ import (
 	"bytes"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"io"
 	"net/http"
+	"strings"
 
 	"github.com/MakeNowJust/heredoc/v2"
 	"github.com/OctopusDeploy/cli/pkg/apiclient"
@@ -38,6 +40,10 @@ func NewCmdAPI(f factory.Factory) *cobra.Command {
 }
 
 func apiRun(cmd *cobra.Command, f factory.Factory, path string) error {
+	if err := validateAPIPath(path); err != nil {
+		return err
+	}
+
 	client, err := f.GetSystemClient(apiclient.NewRequester(cmd))
 	if err != nil {
 		return err
@@ -73,3 +79,11 @@ func apiRun(cmd *cobra.Command, f factory.Factory, path string) error {
 
 	return nil
 }
+
+func validateAPIPath(path string) error {
+	trimmed := strings.TrimLeft(path, "/")
+	if !strings.HasPrefix(trimmed, "api") {
+		return fmt.Errorf("the api command only supports paths prefixed with /api (e.g. /api/spaces)")
+	}
+	return nil
+}

pkg/cmd/api/api_test.go

@@ -91,6 +91,14 @@ func TestApiCommand(t *testing.T) {
 			assert.Equal(t, "OK", stdOut.String())
 		}},
 
+		{"rejects path not prefixed with /api", func(t *testing.T, api *testutil.MockHttpServer, rootCmd *cobra.Command, stdOut *bytes.Buffer, stdErr *bytes.Buffer) {
+			defer api.Close()
+			rootCmd.SetArgs([]string{"api", "/some/other/path"})
+			_, err := rootCmd.ExecuteC()
+			assert.Error(t, err)
+			assert.Contains(t, err.Error(), "only supports paths prefixed with /api")
+		}},
+
 		{"requires an argument", func(t *testing.T, api *testutil.MockHttpServer, rootCmd *cobra.Command, stdOut *bytes.Buffer, stdErr *bytes.Buffer) {
 			defer api.Close()
 			rootCmd.SetArgs([]string{"api"})