From 14e6c48103d7bff65226a063c263a405c4de426e Mon Sep 17 00:00:00 2001
From: Nickle Wang <nicklew@nvidia.com>
Date: Fri, 2 Aug 2024 10:22:31 +0800
Subject: [PATCH] RedfishPkg/RedfishHttpDxe: add status code check for
 modification request

Add HTTP status code check for POST, PUT, PATCH and DELETE Redfish
request. When status code is not expected, return failure to caller.
The expected HTTP status code is defined in Redfish specification.

Signed-off-by: Nickle Wang <nicklew@nvidia.com>
---
 RedfishPkg/RedfishHttpDxe/RedfishHttpDxe.c | 69 ++++++++++++++++++++--
 1 file changed, 65 insertions(+), 4 deletions(-)

diff --git a/RedfishPkg/RedfishHttpDxe/RedfishHttpDxe.c b/RedfishPkg/RedfishHttpDxe/RedfishHttpDxe.c
index f15b371f5b..2de5443bcd 100644
--- a/RedfishPkg/RedfishHttpDxe/RedfishHttpDxe.c
+++ b/RedfishPkg/RedfishHttpDxe/RedfishHttpDxe.c
@@ -92,6 +92,67 @@ RedfishRetryRequired (
   return FALSE;
 }
 
+/**
+
+  This function follows below sections in Redfish specification to
+  check HTTP status code and see if this is success response or not.
+
+  7.5.2 Modification success responses
+  7.11 POST (action)
+
+  @param[in]  Method          HTTP method of this status code.
+  @param[in]  StatusCode      HTTP status code.
+
+  @retval     BOOLEAN         Return true when this is success response.
+                              Return false when this is not success response.
+
+**/
+BOOLEAN
+RedfishSuccessResponse (
+  IN EFI_HTTP_METHOD       Method,
+  IN EFI_HTTP_STATUS_CODE  *StatusCode
+  )
+{
+  BOOLEAN  SuccessResponse;
+
+  if (StatusCode == NULL) {
+    return TRUE;
+  }
+
+  SuccessResponse = FALSE;
+  switch (Method) {
+    case HttpMethodPost:
+      if ((*StatusCode ==   HTTP_STATUS_200_OK) ||
+          (*StatusCode ==   HTTP_STATUS_201_CREATED) ||
+          (*StatusCode == HTTP_STATUS_202_ACCEPTED) ||
+          (*StatusCode == HTTP_STATUS_204_NO_CONTENT))
+      {
+        SuccessResponse = TRUE;
+      }
+
+      break;
+    case HttpMethodPatch:
+    case HttpMethodPut:
+    case HttpMethodDelete:
+      if ((*StatusCode ==   HTTP_STATUS_200_OK) ||
+          (*StatusCode == HTTP_STATUS_202_ACCEPTED) ||
+          (*StatusCode == HTTP_STATUS_204_NO_CONTENT))
+      {
+        SuccessResponse = TRUE;
+      }
+
+      break;
+    default:
+      //
+      // Return true for unsupported method to prevent false alarm.
+      //
+      SuccessResponse = TRUE;
+      break;
+  }
+
+  return SuccessResponse;
+}
+
 /**
 
   Convert Unicode string to ASCII string. It's call responsibility to release returned buffer.
@@ -824,7 +885,7 @@ RedfishPatchResource (
   DEBUG ((REDFISH_HTTP_CACHE_DEBUG, "%a: Resource is updated, expire URI: %s\n", __func__, Uri));
   RedfishExpireResponse (This, Uri);
 
-  if (EFI_ERROR (Status)) {
+  if (EFI_ERROR (Status) || !RedfishSuccessResponse (HttpMethodPatch, Response->StatusCode)) {
     DEBUG_CODE (
       DumpRedfishResponse (NULL, DEBUG_ERROR, Response);
       );
@@ -941,7 +1002,7 @@ RedfishPutResource (
   DEBUG ((REDFISH_HTTP_CACHE_DEBUG, "%a: Resource is updated, expire URI: %s\n", __func__, Uri));
   RedfishExpireResponse (This, Uri);
 
-  if (EFI_ERROR (Status)) {
+  if (EFI_ERROR (Status) || !RedfishSuccessResponse (HttpMethodPut, Response->StatusCode)) {
     DEBUG_CODE (
       DumpRedfishResponse (NULL, DEBUG_ERROR, Response);
       );
@@ -1058,7 +1119,7 @@ RedfishPostResource (
   DEBUG ((REDFISH_HTTP_CACHE_DEBUG, "%a: Resource is updated, expire URI: %s\n", __func__, Uri));
   RedfishExpireResponse (This, Uri);
 
-  if (EFI_ERROR (Status)) {
+  if (EFI_ERROR (Status) || !RedfishSuccessResponse (HttpMethodPost, Response->StatusCode)) {
     DEBUG_CODE (
       DumpRedfishResponse (NULL, DEBUG_ERROR, Response);
       );
@@ -1177,7 +1238,7 @@ RedfishDeleteResource (
   DEBUG ((REDFISH_HTTP_CACHE_DEBUG, "%a: Resource is updated, expire URI: %s\n", __func__, Uri));
   RedfishExpireResponse (This, Uri);
 
-  if (EFI_ERROR (Status)) {
+  if (EFI_ERROR (Status) || !RedfishSuccessResponse (HttpMethodDelete, Response->StatusCode)) {
     DEBUG_CODE (
       DumpRedfishResponse (NULL, DEBUG_ERROR, Response);
       );