From 3d55be115035b0c02a1618bcc0c83f89719d2aef Mon Sep 17 00:00:00 2001 From: umayanga Date: Wed, 22 Jul 2020 17:21:08 +0530 Subject: [PATCH 1/4] issue reviews done --- .../api/TallySheetVersionApi/__init__.py | 11 ++++++----- results-tabulation-api/exception/__init__.py | 6 +----- results-tabulation-api/util/__init__.py | 10 +++++----- 3 files changed, 12 insertions(+), 15 deletions(-) diff --git a/results-tabulation-api/api/TallySheetVersionApi/__init__.py b/results-tabulation-api/api/TallySheetVersionApi/__init__.py index ab6776b0..46e570a3 100644 --- a/results-tabulation-api/api/TallySheetVersionApi/__init__.py +++ b/results-tabulation-api/api/TallySheetVersionApi/__init__.py @@ -5,14 +5,14 @@ from app import db from auth import authorize from constants.AUTH_CONSTANTS import ALL_ROLES -from exception import NotFoundException, InvalidInputException +from exception import NotFoundException, ForbiddenException from exception.messages import MESSAGE_CODE_TALLY_SHEET_NOT_FOUND, MESSAGE_CODE_TALLY_SHEET_VERSION_NOT_FOUND, \ MESSAGE_CODE_INVALID_INPUT from ext.ExtendedTallySheet import ExtendedTallySheet from orm.entities.Submission import TallySheet from orm.entities.SubmissionVersion import TallySheetVersion from schemas import TallySheetVersionSchema, TallySheetSchema_1 -from util import get_paginated_query, RequestBody, input_is_valid +from util import get_paginated_query, RequestBody, validate_tally_sheet_version_request_content_special_characters def get_all(tallySheetId): @@ -168,9 +168,10 @@ def create(tallySheetId, body): tally_sheet = TallySheet.get_by_id(tallySheetId=tallySheetId) # validate user inputs to prevent XSS attacks - if not input_is_valid(request_body.get("content")): - raise InvalidInputException( - message="Invalid input detected. Use of disallowed characters/invalid input length detected", + input_is_valid, error_message = validate_tally_sheet_version_request_content_special_characters(request_body.get("content")) + if not input_is_valid: + raise ForbiddenException( + message="Invalid input detected. Use of disallowed characters/invalid input length detected. " + error_message, code=MESSAGE_CODE_INVALID_INPUT ) diff --git a/results-tabulation-api/exception/__init__.py b/results-tabulation-api/exception/__init__.py index b1529b81..4e18ff10 100644 --- a/results-tabulation-api/exception/__init__.py +++ b/results-tabulation-api/exception/__init__.py @@ -22,8 +22,4 @@ def InternalServerErrorException(message="", code=None): def NotImplementedException(message="", code=None): - raise ProblemException(501, "Not Implemented", message, "NotImplemented", code) - - -def InvalidInputException(message="", code=None): - raise ProblemException(400, "Invalid Input", message, "Forbidden", code) + raise ProblemException(501, "Not Implemented", message, "NotImplemented", code) \ No newline at end of file diff --git a/results-tabulation-api/util/__init__.py b/results-tabulation-api/util/__init__.py index 4e76f8c0..5327939f 100644 --- a/results-tabulation-api/util/__init__.py +++ b/results-tabulation-api/util/__init__.py @@ -158,12 +158,12 @@ def get_sum_of_all_and_nan_otherwise(array): return result -def input_is_valid(content_array): +def validate_tally_sheet_version_request_content_special_characters(content_array): invalid_strings = ["'", "\"", "<", ">", "=", ",", ";"] for array_item in content_array: - for value in array_item: - text_value = str(array_item[value]) + if "strValue" in array_item: + text_value = str(array_item["strValue"]) for char in invalid_strings: if char in text_value or len(text_value) > 500: - return False - return True \ No newline at end of file + return False, char + " included in " + text_value + return True, "" From 484e6d62ef56a93d8dec16e6bc652dd0ea964e3b Mon Sep 17 00:00:00 2001 From: umayanga Date: Wed, 22 Jul 2020 17:38:59 +0530 Subject: [PATCH 2/4] move exception to function --- .../api/TallySheetVersionApi/__init__.py | 12 +++--------- results-tabulation-api/util/__init__.py | 16 +++++++++++----- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/results-tabulation-api/api/TallySheetVersionApi/__init__.py b/results-tabulation-api/api/TallySheetVersionApi/__init__.py index 46e570a3..a2d2e939 100644 --- a/results-tabulation-api/api/TallySheetVersionApi/__init__.py +++ b/results-tabulation-api/api/TallySheetVersionApi/__init__.py @@ -5,9 +5,8 @@ from app import db from auth import authorize from constants.AUTH_CONSTANTS import ALL_ROLES -from exception import NotFoundException, ForbiddenException -from exception.messages import MESSAGE_CODE_TALLY_SHEET_NOT_FOUND, MESSAGE_CODE_TALLY_SHEET_VERSION_NOT_FOUND, \ - MESSAGE_CODE_INVALID_INPUT +from exception import NotFoundException +from exception.messages import MESSAGE_CODE_TALLY_SHEET_NOT_FOUND, MESSAGE_CODE_TALLY_SHEET_VERSION_NOT_FOUND from ext.ExtendedTallySheet import ExtendedTallySheet from orm.entities.Submission import TallySheet from orm.entities.SubmissionVersion import TallySheetVersion @@ -168,12 +167,7 @@ def create(tallySheetId, body): tally_sheet = TallySheet.get_by_id(tallySheetId=tallySheetId) # validate user inputs to prevent XSS attacks - input_is_valid, error_message = validate_tally_sheet_version_request_content_special_characters(request_body.get("content")) - if not input_is_valid: - raise ForbiddenException( - message="Invalid input detected. Use of disallowed characters/invalid input length detected. " + error_message, - code=MESSAGE_CODE_INVALID_INPUT - ) + validate_tally_sheet_version_request_content_special_characters(request_body.get("content")) if tally_sheet is None: raise NotFoundException( diff --git a/results-tabulation-api/util/__init__.py b/results-tabulation-api/util/__init__.py index 5327939f..db048e22 100644 --- a/results-tabulation-api/util/__init__.py +++ b/results-tabulation-api/util/__init__.py @@ -6,6 +6,8 @@ from sqlalchemy import func import base64 import numpy as np +from exception import ForbiddenException +from exception.messages import MESSAGE_CODE_INVALID_INPUT class RequestBody: @@ -162,8 +164,12 @@ def validate_tally_sheet_version_request_content_special_characters(content_arra invalid_strings = ["'", "\"", "<", ">", "=", ",", ";"] for array_item in content_array: if "strValue" in array_item: - text_value = str(array_item["strValue"]) - for char in invalid_strings: - if char in text_value or len(text_value) > 500: - return False, char + " included in " + text_value - return True, "" + if array_item["strValue"] is not None: + text_value = str(array_item["strValue"]) + for char in invalid_strings: + if char in text_value or len(text_value) > 500: + raise ForbiddenException( + message="Invalid input detected. Use of disallowed characters/invalid input length detected. " + char + " included in " + text_value, + code=MESSAGE_CODE_INVALID_INPUT + ) + return True From 60e57f92d901e080d1f849772c97297c884af6fd Mon Sep 17 00:00:00 2001 From: umayanga Date: Wed, 22 Jul 2020 17:53:09 +0530 Subject: [PATCH 3/4] merge if conditions --- results-tabulation-api/util/__init__.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/results-tabulation-api/util/__init__.py b/results-tabulation-api/util/__init__.py index db048e22..c3b752c9 100644 --- a/results-tabulation-api/util/__init__.py +++ b/results-tabulation-api/util/__init__.py @@ -163,8 +163,7 @@ def get_sum_of_all_and_nan_otherwise(array): def validate_tally_sheet_version_request_content_special_characters(content_array): invalid_strings = ["'", "\"", "<", ">", "=", ",", ";"] for array_item in content_array: - if "strValue" in array_item: - if array_item["strValue"] is not None: + if "strValue" in array_item and array_item["strValue"] is not None: text_value = str(array_item["strValue"]) for char in invalid_strings: if char in text_value or len(text_value) > 500: From b2befe6a0b181126cd7e3d466ee98fb4803dcd12 Mon Sep 17 00:00:00 2001 From: umayanga Date: Wed, 22 Jul 2020 17:54:34 +0530 Subject: [PATCH 4/4] fix indentation --- results-tabulation-api/util/__init__.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/results-tabulation-api/util/__init__.py b/results-tabulation-api/util/__init__.py index c3b752c9..bee6600c 100644 --- a/results-tabulation-api/util/__init__.py +++ b/results-tabulation-api/util/__init__.py @@ -164,11 +164,11 @@ def validate_tally_sheet_version_request_content_special_characters(content_arra invalid_strings = ["'", "\"", "<", ">", "=", ",", ";"] for array_item in content_array: if "strValue" in array_item and array_item["strValue"] is not None: - text_value = str(array_item["strValue"]) - for char in invalid_strings: - if char in text_value or len(text_value) > 500: - raise ForbiddenException( - message="Invalid input detected. Use of disallowed characters/invalid input length detected. " + char + " included in " + text_value, - code=MESSAGE_CODE_INVALID_INPUT - ) + text_value = str(array_item["strValue"]) + for char in invalid_strings: + if char in text_value or len(text_value) > 500: + raise ForbiddenException( + message="Invalid input detected. Use of disallowed characters/invalid input length detected. " + char + " included in " + text_value, + code=MESSAGE_CODE_INVALID_INPUT + ) return True