external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(fastapi): sanitize PP/O parameters for package search

Browse source 
This definitely leaked through in more areas. We'll need to reuse
this new utility function in a few other routes in upcoming commits.

Signed-off-by: Kevin Morris <kevr@0cost.org>
This commit is contained in:
Kevin Morris 2021-10-29 20:26:57 -07:00
parent 8dcdc7ff38
commit 7f4c011dc3
No known key found for this signature in database
GPG key ID: F7E46DED420788F3
3 changed files with 24 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
aurweb/routers/packages.py
View file

@ -30,8 +30,11 @@ async def packages_get(request: Request, context: Dict[str, Any],
context["q"] = dict(request.query_params)
# Per page and offset.
per_page = context["PP"] = int(request.query_params.get("PP", 50))
offset = context["O"] = int(request.query_params.get("O", 0))
offset, per_page = util.sanitize_params(
request.query_params.get("O", defaults.O),
request.query_params.get("PP", defaults.PP))
context["O"] = offset
context["PP"] = per_page
# Query search by.
search_by = context["SeB"] = request.query_params.get("SeB", "nd")

18
aurweb/util.py
View file

@ -7,7 +7,7 @@ import secrets
import string
from datetime import datetime
from typing import Any, Callable, Dict, Iterable
from typing import Any, Callable, Dict, Iterable, Tuple
from urllib.parse import urlencode, urlparse
from zoneinfo import ZoneInfo
@ -18,7 +18,7 @@ from jinja2 import pass_context
import aurweb.config
from aurweb import logging
from aurweb import defaults, logging
logger = logging.get_logger(__name__)
@ -155,3 +155,17 @@ def get_ssh_fingerprints():
def apply_all(iterable: Iterable, fn: Callable):
for item in iterable:
fn(item)
def sanitize_params(offset: str, per_page: str) -> Tuple[int, int]:
try:
offset = int(offset)
except ValueError:
offset = defaults.O
try:
per_page = int(per_page)
except ValueError:
per_page = defaults.PP
return (offset, per_page)

10
test/test_packages_routes.py
View file

@ -486,15 +486,11 @@ def test_pkgbase(client: TestClient, package: Package):
def test_packages(client: TestClient, packages: List[Package]):
""" Test the / packages route with defaults.
Defaults:
50 results per page
offset of 0
"""
with client as request:
response = request.get("/packages", params={
"SeB": "X" # "X" isn't valid, defaults to "nd"
"SeB": "X", # "X" isn't valid, defaults to "nd"
"PP": "1 or 1",
"O": "0 or 0"
})
assert response.status_code == int(HTTPStatus.OK)