From 36f8455d20173bded4ad14175fac403ed8c1de99 Mon Sep 17 00:00:00 2001
From: Kyle Herock <kherock@gmail.com>
Date: Wed, 6 Feb 2019 22:48:02 -0500
Subject: [PATCH] require at least one Object in deleteObjects requests (fixes
 #372)

---
 lib/controllers.js |  9 ++++++++-
 test/test.js       | 17 ++++++++++++-----
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/lib/controllers.js b/lib/controllers.js
index 5849adb5..e7283d6e 100644
--- a/lib/controllers.js
+++ b/lib/controllers.js
@@ -106,7 +106,14 @@ module.exports = function(rootDirectory, logger, indexDocument, errorDocument) {
 
   function deleteObjects(req, res) {
     xml2js.parseString(req.body, (err, parsedBody) => {
-      const keys = (parsedBody.Delete.Object || []).map(o => o.Key[0]);
+      if (!parsedBody.Delete || !parsedBody.Delete.Object) {
+        const template = templateBuilder.buildError(
+          "MalformedXML",
+          "The XML you provided was not well-formed or did not validate against our published schema"
+        );
+        return buildXmlResponse(res, 400, template);
+      }
+      const keys = parsedBody.Delete.Object.map(o => o.Key[0]);
       async.each(
         keys,
         (key, cb) => {
diff --git a/test/test.js b/test/test.js
index 90751142..7ade574a 100644
--- a/test/test.js
+++ b/test/test.js
@@ -605,7 +605,7 @@ describe("S3rver Tests", function() {
     expect(res.headers).to.have.property("content-length", "100");
   });
 
-  it("out of bounds range requests should return 416", function*() {
+  it("should return 416 error for out of bounds range requests", function*() {
     const file = path.join(__dirname, "resources/image0.jpg");
     const filesize = fs.statSync(file).size;
     yield s3Client
@@ -1059,10 +1059,17 @@ describe("S3rver Tests", function() {
     expect(find(data.Deleted, { Key: "key67" })).to.exist;
   });
 
-  it("should not throw when using deleteObjects with zero objects", function*() {
-    yield s3Client
-      .deleteObjects({ Bucket: buckets[2], Delete: { Objects: [] } })
-      .promise();
+  it("should report invalid XML when using deleteObjects with zero objects", function*() {
+    let error;
+    try {
+      yield s3Client
+        .deleteObjects({ Bucket: buckets[2], Delete: { Objects: [] } })
+        .promise();
+    } catch (err) {
+      error = err;
+    }
+    expect(error).to.exist;
+    expect(error.code).to.equal("MalformedXML");
   });
 
   it("should return nonexistent objects as deleted with deleteObjects", function*() {