server/posts: add more safety checks for notes

2016-08-13 23:39:03 +02:00 · 2016-08-13 23:39:03 +02:00 · bb86e9bf56
parent 7cd4a1a530
commit bb86e9bf56
2 changed files with 16 additions and 5 deletions
--- a/server/szurubooru/func/posts.py
+++ b/server/szurubooru/func/posts.py
@ -281,10 +281,16 @@ def update_post_notes(post, notes):
                raise InvalidPostNoteError('Note is missing %r field.' % field)
        if not note['text']:
            raise InvalidPostNoteError('A note\'s text cannot be empty.')
+        if not isinstance(note['polygon'], (list, tuple)):
+            raise InvalidPostNoteError(
+                'A note\'s polygon must be a list of points.')
        if len(note['polygon']) < 3:
            raise InvalidPostNoteError(
                'A note\'s polygon must have at least 3 points.')
        for point in note['polygon']:
+            if not isinstance(point, (list, tuple)):
+                raise InvalidPostNoteError(
+                    'A note\'s polygon point must be a list of length 2.')
            if len(point) != 2:
                raise InvalidPostNoteError(
                    'A point in note\'s polygon must have two coordinates.')
@ -294,16 +300,13 @@ def update_post_notes(post, notes):
                if not 0 <= pos_x <= 1 or not 0 <= pos_y <= 1:
                    raise InvalidPostNoteError(
                        'All points must fit in the image (0..1 range).')
-            except KeyError:
-                raise InvalidPostNoteError(
-                    'Expected array of length 2.')
            except ValueError:
                raise InvalidPostNoteError(
                    'A point in note\'s polygon must be numeric.')
        if util.value_exceeds_column_size(note['text'], db.PostNote.text):
            raise InvalidPostNoteError('Note text is too long.')
        post.notes.append(
-            db.PostNote(polygon=note['polygon'], text=note['text']))
+            db.PostNote(polygon=note['polygon'], text=str(note['text'])))

 def update_post_flags(post, flags):
    target_flags = []
--- a/server/szurubooru/tests/func/test_posts.py
+++ b/server/szurubooru/tests/func/test_posts.py
@ -433,14 +433,22 @@ def test_update_post_notes():
    assert post.notes[1].text == 'text2'

@pytest.mark.parametrize('input', [
+    [{'text': '...'}],
+    [{'polygon': None, 'text': '...'}],
+    [{'polygon': 'trash', 'text': '...'}],
+    [{'polygon': ['trash', 'trash', 'trash'], 'text': '...'}],
+    [{'polygon': {2: 'trash', 3: 'trash', 4: 'trash'}, 'text': '...'}],
    [{'polygon': [[0, 0]], 'text': '...'}],
+    [{'polygon': [[0, 0], [0, 0], None], 'text': '...'}],
+    [{'polygon': [[0, 0], [0, 0], 'surprise'], 'text': '...'}],
+    [{'polygon': [[0, 0], [0, 0], {2: 'trash', 3: 'trash'}], 'text': '...'}],
+    [{'polygon': [[0, 0], [0, 0], 5], 'text': '...'}],
    [{'polygon': [[0, 0], [0, 0], [0, 2]], 'text': '...'}],
    [{'polygon': [[0, 0], [0, 0], [0, '...']], 'text': '...'}],
    [{'polygon': [[0, 0], [0, 0], [0, 0, 0]], 'text': '...'}],
    [{'polygon': [[0, 0], [0, 0], [0]], 'text': '...'}],
    [{'polygon': [[0, 0], [0, 0], [0, 1]], 'text': ''}],
    [{'polygon': [[0, 0], [0, 0], [0, 1]], 'text': None}],
-    [{'text': '...'}],
    [{'polygon': [[0, 0], [0, 0], [0, 1]]}],
 ])
 def test_update_post_invalid_notes(input):