Patchwork [bitbake-devel,38/94] bitbake: webhob: validate inputs for build api

login
register
mail settings
Submitter Alexandru DAMIAN
Date Sept. 24, 2013, 4:52 p.m.
Message ID <58cab4377ea911bcd7eeeb38132e962f481972db.1380041477.git.alexandru.damian@intel.com>
Download mbox | patch
Permalink /patch/58845/
State New
Headers show

Comments

Alexandru DAMIAN - Sept. 24, 2013, 4:52 p.m.
From: Calin Dragomir <calinx.l.dragomir@intel.com>

This patch validates the inputs for the build api
by checking the following:
- have only one colon;
- have equal number of terms on both sides of the colon;
- left side terms must be part of the Django model fields.

Signed-off-by: Calin Dragomir <calinx.l.dragomir@intel.com>
Signed-off-by: Alexandru DAMIAN <alexandru.damian@intel.com>
---
 bitbake/lib/webhob/bldviewer/views.py | 33 ++++++++++++++++++++++++++++++---
 1 file changed, 30 insertions(+), 3 deletions(-)

Patch

diff --git a/bitbake/lib/webhob/bldviewer/views.py b/bitbake/lib/webhob/bldviewer/views.py
index 71e95b4..a71aebc 100644
--- a/bitbake/lib/webhob/bldviewer/views.py
+++ b/bitbake/lib/webhob/bldviewer/views.py
@@ -52,7 +52,7 @@  def layer_versions_recipes(request, layerversion_id):
 
 import json
 from django.core import serializers
-from django.http import HttpResponse
+from django.http import HttpResponse, HttpResponseBadRequest
 
 
 def builds(request):
@@ -69,8 +69,13 @@  def builds(request):
     except ValueError:
         offset = 0
 
-    ordering_string = request.GET.get('orderby', '')
-    filter_string = request.GET.get('filter', '')
+    ordering_string, invalid = _validate_input(request.GET.get('orderby', ''))
+    if invalid:
+        return HttpResponseBadRequest()
+
+    filter_string, invalid = _validate_input(request.GET.get('filter', ''))
+    if invalid:
+        return HttpResponseBadRequest()
 
     if filter_string:
         filter_terms = _get_filtering_terms(filter_string)
@@ -111,3 +116,25 @@  def _get_filtering_terms(filter_string):
     values = search_terms[1].split(',')
 
     return dict(zip(keys, values))
+
+def _validate_input(input):
+    invalid = 0
+
+    if input:
+        input_list = input.split(":")
+
+        # Check we have only one colon
+        if len(input.split(":")) != 2:
+            invalid = 1
+
+        # Check we have an equal number of terms both sides of the colon
+        if len(input_list[0].split(',')) != len(input_list[1].split(',')):
+            invalid = 1
+
+        # Check we are looking for a valid field
+        valid_fields = Build._meta.get_all_field_names()
+        for field in input_list[0].split(','):
+            if field not in valid_fields:
+                invalid = 1
+
+    return input, invalid