From 61b979f0d7783c1287935d2801db7986e6602621 Mon Sep 17 00:00:00 2001 From: asherpasha Date: Tue, 28 Jan 2025 16:43:30 -0500 Subject: [PATCH 1/2] Input validation - fastpheno. --- api/resources/fastpheno.py | 16 +++++++++++++++ requirements.txt | 8 ++++---- tests/resources/test_fastpheno.py | 34 ++++++++++++++++++++++++++++++- 3 files changed, 53 insertions(+), 5 deletions(-) diff --git a/api/resources/fastpheno.py b/api/resources/fastpheno.py index 7a9b892..ca576b4 100644 --- a/api/resources/fastpheno.py +++ b/api/resources/fastpheno.py @@ -4,6 +4,8 @@ Fastpheno endpoint for retrieving tree data """ +import re + from flask_restx import Namespace, Resource from api import db from api.models.fastpheno import Sites, Trees, Band, Height @@ -26,6 +28,16 @@ def get(self, site, month, band): month = escape(month) band = escape(band) + # Validate input + if not re.search(r"^[a-z]{1,15}$", site, re.I): + return BARUtils.error_exit("Invalid site name"), 400 + + if not re.search(r"^[a-z]{1,4}$", month, re.I): + return BARUtils.error_exit("Invalid month"), 400 + + if not re.search(r"^band_\d{1,8}$", band, re.I): + return BARUtils.error_exit("Invalid band"), 400 + rows = db.session.execute( db.select(Sites, Trees, Height, Band) .select_from(Sites) @@ -67,6 +79,10 @@ def get(self, genotype_id): # Escape input data genotype_id = escape(genotype_id).capitalize() + # Validate input + if not re.search(r"^[a-z]{1,3}$", genotype_id, re.I): + return BARUtils.error_exit("Invalid genotype id"), 400 + rows = db.session.execute( db.select(Sites, Trees) .select_from(Sites) diff --git a/requirements.txt b/requirements.txt index 47c9271..89df3f3 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,6 +1,6 @@ aniso8601==10.0.0 async-timeout==5.0.1 -attrs==24.3.0 +attrs==25.1.0 black==24.10.0 blinker==1.9.0 cachelib==0.9.0 @@ -8,7 +8,7 @@ certifi==2024.12.14 charset-normalizer==3.4.1 click==8.1.8 coverage==7.6.10 -Deprecated==1.2.15 +Deprecated==1.2.18 flake8==7.1.1 Flask==3.1.0 Flask-Caching==2.3.0 @@ -28,7 +28,7 @@ jsonschema-specifications==2024.10.1 limits==4.0.1 markdown-it-py==3.0.0 MarkupSafe==3.0.2 -marshmallow==3.25.1 +marshmallow==3.26.0 mccabe==0.7.0 mdurl==0.1.2 mypy-extensions==1.0.0 @@ -46,7 +46,7 @@ pytest==8.3.4 python-dateutil==2.9.0.post0 pytz==2024.2 redis==5.2.1 -referencing==0.36.1 +referencing==0.36.2 requests==2.32.3 rich==13.9.4 rpds-py==0.22.3 diff --git a/tests/resources/test_fastpheno.py b/tests/resources/test_fastpheno.py index 85a23c1..e61bc97 100644 --- a/tests/resources/test_fastpheno.py +++ b/tests/resources/test_fastpheno.py @@ -52,6 +52,30 @@ def test_bands(self): } self.assertEqual(response.json, expected) + # Invalid site + response = self.app_client.get("/fastpheno/get_bands/12345/feb/band_1") + expected = { + "wasSuccessful": False, + "error": "Invalid site name", + } + self.assertEqual(response.json, expected) + + # Invalid month + response = self.app_client.get("/fastpheno/get_bands/pintendre/1234/band_1") + expected = { + "wasSuccessful": False, + "error": "Invalid month", + } + self.assertEqual(response.json, expected) + + # Invalid band + response = self.app_client.get("/fastpheno/get_bands/NOTASITE/feb/band_x") + expected = { + "wasSuccessful": False, + "error": "Invalid band", + } + self.assertEqual(response.json, expected) + def test_site_genotype_ids(self): """This function checks GET request for fastpheno sites for genotype_ids :return: @@ -92,9 +116,17 @@ def test_site_genotype_ids(self): self.assertEqual(response.json, expected) # Not working version - response = self.app_client.get("/fastpheno/get_trees/NOTAGENOTYPE") + response = self.app_client.get("/fastpheno/get_trees/Z") expected = { "wasSuccessful": False, "error": "There are no data found for the given parameters", } self.assertEqual(response.json, expected) + + # Invalid data + response = self.app_client.get("/fastpheno/get_trees/NOTVALID") + expected = { + "wasSuccessful": False, + "error": "Invalid genotype id", + } + self.assertEqual(response.json, expected) From 9f4e89b66f73c9f389a39798088d061c85945910 Mon Sep 17 00:00:00 2001 From: asherpasha Date: Sat, 8 Feb 2025 10:25:25 -0500 Subject: [PATCH 2/2] Updated dep. --- requirements.txt | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/requirements.txt b/requirements.txt index 89df3f3..2657891 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,10 +1,10 @@ aniso8601==10.0.0 async-timeout==5.0.1 attrs==25.1.0 -black==24.10.0 +black==25.1.0 blinker==1.9.0 cachelib==0.9.0 -certifi==2024.12.14 +certifi==2025.1.31 charset-normalizer==3.4.1 click==8.1.8 coverage==7.6.10 @@ -28,7 +28,7 @@ jsonschema-specifications==2024.10.1 limits==4.0.1 markdown-it-py==3.0.0 MarkupSafe==3.0.2 -marshmallow==3.26.0 +marshmallow==3.26.1 mccabe==0.7.0 mdurl==0.1.2 mypy-extensions==1.0.0 @@ -44,7 +44,7 @@ Pygments==2.19.1 pyrsistent==0.20.0 pytest==8.3.4 python-dateutil==2.9.0.post0 -pytz==2024.2 +pytz==2025.1 redis==5.2.1 referencing==0.36.2 requests==2.32.3 @@ -52,7 +52,7 @@ rich==13.9.4 rpds-py==0.22.3 setuptools==75.8.0 six==1.17.0 -SQLAlchemy==2.0.37 +SQLAlchemy==2.0.38 typing_extensions==4.12.2 urllib3==2.3.0 Werkzeug==3.1.3