From e725f4f99c3d1100ec583706b9c9482271c28532 Mon Sep 17 00:00:00 2001 From: rr- Date: Sun, 5 Feb 2017 16:08:46 +0100 Subject: [PATCH] server/api: extra validation of list fields --- server/szurubooru/api/post_api.py | 14 ++++++++------ server/szurubooru/api/tag_api.py | 12 ++++++------ server/szurubooru/rest/context.py | 22 ++++++++++++++++++++++ 3 files changed, 36 insertions(+), 12 deletions(-) diff --git a/server/szurubooru/api/post_api.py b/server/szurubooru/api/post_api.py index 6c76688..4b364ec 100644 --- a/server/szurubooru/api/post_api.py +++ b/server/szurubooru/api/post_api.py @@ -47,14 +47,14 @@ def create_post( else: auth.verify_privilege(ctx.user, 'posts:create:identified') content = ctx.get_file('content') - tag_names = ctx.get_param_as_list('tags', default=[]) + tag_names = ctx.get_param_as_string_list('tags', default=[]) safety = ctx.get_param_as_string('safety') source = ctx.get_param_as_string('source', default='') if ctx.has_param('contentUrl') and not source: source = ctx.get_param_as_string('contentUrl', default='') - relations = ctx.get_param_as_list('relations', default=[]) + relations = ctx.get_param_as_int_list('relations', default=[]) notes = ctx.get_param_as_list('notes', default=[]) - flags = ctx.get_param_as_list('flags', default=[]) + flags = ctx.get_param_as_string_list('flags', default=[]) post, new_tags = posts.create_post( content, tag_names, None if anonymous else ctx.user) @@ -94,7 +94,8 @@ def update_post(ctx: rest.Context, params: Dict[str, str]) -> rest.Response: posts.update_post_content(post, ctx.get_file('content')) if ctx.has_param('tags'): auth.verify_privilege(ctx.user, 'posts:edit:tags') - new_tags = posts.update_post_tags(post, ctx.get_param_as_list('tags')) + new_tags = posts.update_post_tags( + post, ctx.get_param_as_string_list('tags')) if len(new_tags): auth.verify_privilege(ctx.user, 'tags:create') db.session.flush() @@ -110,13 +111,14 @@ def update_post(ctx: rest.Context, params: Dict[str, str]) -> rest.Response: posts.update_post_source(post, ctx.get_param_as_string('contentUrl')) if ctx.has_param('relations'): auth.verify_privilege(ctx.user, 'posts:edit:relations') - posts.update_post_relations(post, ctx.get_param_as_list('relations')) + posts.update_post_relations( + post, ctx.get_param_as_int_list('relations')) if ctx.has_param('notes'): auth.verify_privilege(ctx.user, 'posts:edit:notes') posts.update_post_notes(post, ctx.get_param_as_list('notes')) if ctx.has_param('flags'): auth.verify_privilege(ctx.user, 'posts:edit:flags') - posts.update_post_flags(post, ctx.get_param_as_list('flags')) + posts.update_post_flags(post, ctx.get_param_as_string_list('flags')) if ctx.has_file('thumbnail'): auth.verify_privilege(ctx.user, 'posts:edit:thumbnail') posts.update_post_thumbnail(post, ctx.get_file('thumbnail')) diff --git a/server/szurubooru/api/tag_api.py b/server/szurubooru/api/tag_api.py index 7a379b3..8e1afbd 100644 --- a/server/szurubooru/api/tag_api.py +++ b/server/szurubooru/api/tag_api.py @@ -38,11 +38,11 @@ def get_tags(ctx: rest.Context, _params: Dict[str, str]={}) -> rest.Response: def create_tag(ctx: rest.Context, _params: Dict[str, str]={}) -> rest.Response: auth.verify_privilege(ctx.user, 'tags:create') - names = ctx.get_param_as_list('names') + names = ctx.get_param_as_string_list('names') category = ctx.get_param_as_string('category') description = ctx.get_param_as_string('description', default='') - suggestions = ctx.get_param_as_list('suggestions', default=[]) - implications = ctx.get_param_as_list('implications', default=[]) + suggestions = ctx.get_param_as_string_list('suggestions', default=[]) + implications = ctx.get_param_as_string_list('implications', default=[]) _create_if_needed(suggestions, ctx.user) _create_if_needed(implications, ctx.user) @@ -71,7 +71,7 @@ def update_tag(ctx: rest.Context, params: Dict[str, str]) -> rest.Response: versions.bump_version(tag) if ctx.has_param('names'): auth.verify_privilege(ctx.user, 'tags:edit:names') - tags.update_tag_names(tag, ctx.get_param_as_list('names')) + tags.update_tag_names(tag, ctx.get_param_as_string_list('names')) if ctx.has_param('category'): auth.verify_privilege(ctx.user, 'tags:edit:category') tags.update_tag_category_name( @@ -82,12 +82,12 @@ def update_tag(ctx: rest.Context, params: Dict[str, str]) -> rest.Response: tag, ctx.get_param_as_string('description')) if ctx.has_param('suggestions'): auth.verify_privilege(ctx.user, 'tags:edit:suggestions') - suggestions = ctx.get_param_as_list('suggestions') + suggestions = ctx.get_param_as_string_list('suggestions') _create_if_needed(suggestions, ctx.user) tags.update_tag_suggestions(tag, suggestions) if ctx.has_param('implications'): auth.verify_privilege(ctx.user, 'tags:edit:implications') - implications = ctx.get_param_as_list('implications') + implications = ctx.get_param_as_string_list('implications') _create_if_needed(implications, ctx.user) tags.update_tag_implications(tag, implications) tag.last_edit_time = datetime.utcnow() diff --git a/server/szurubooru/rest/context.py b/server/szurubooru/rest/context.py index bb33bfa..0f618ad 100644 --- a/server/szurubooru/rest/context.py +++ b/server/szurubooru/rest/context.py @@ -86,6 +86,28 @@ class Context: raise errors.InvalidParameterError( 'Parameter %r must be a list.' % name) + def get_param_as_int_list( + self, + name: str, + default: Union[object, List[int]]=MISSING) -> List[int]: + ret = self.get_param_as_list(name, default) + for item in ret: + if type(item) is not int: + raise errors.InvalidParameterError( + 'Parameter %r must be a list of integer values.' % name) + return ret + + def get_param_as_string_list( + self, + name: str, + default: Union[object, List[str]]=MISSING) -> List[str]: + ret = self.get_param_as_list(name, default) + for item in ret: + if type(item) is not str: + raise errors.InvalidParameterError( + 'Parameter %r must be a list of string values.' % name) + return ret + def get_param_as_string( self, name: str,