From b0a778a462a8ccb9d03cd651b5d3980fa3c369b1 Mon Sep 17 00:00:00 2001 From: Marco Enrico Piras Date: Wed, 22 Nov 2023 10:31:11 +0100 Subject: [PATCH 1/3] fix: safe deserialisation of user-controlled data --- lifemonitor/schemas/controller.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/lifemonitor/schemas/controller.py b/lifemonitor/schemas/controller.py index c120416b7..f7b78b2d2 100644 --- a/lifemonitor/schemas/controller.py +++ b/lifemonitor/schemas/controller.py @@ -23,12 +23,11 @@ def validate(): data = None logger.debug("Request: data", request.data) try: - data = yaml.unsafe_load(request.data) + data = yaml.safe_load(request.data) except yaml.parser.ParserError: - data = json.loads(request.data.decode()) - logger.debug("JSON data: %r", data) + data = json.loads(request.data.decode()) finally: if not data: raise BadRequestException(title="Invalid file format", detail="It should be a JSON or YAML file") - logger.debug("Data: %r", data) + logger.debug("JSON data to validate: %r", data) return ConfigFileValidator.validate(data).to_dict() From fbdd9242ec9d928f37d370a4e7c308d52a36c297 Mon Sep 17 00:00:00 2001 From: Marco Enrico Piras Date: Wed, 22 Nov 2023 10:34:00 +0100 Subject: [PATCH 2/3] style: fix trailing whitespaces --- lifemonitor/schemas/controller.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lifemonitor/schemas/controller.py b/lifemonitor/schemas/controller.py index f7b78b2d2..937ebaa51 100644 --- a/lifemonitor/schemas/controller.py +++ b/lifemonitor/schemas/controller.py @@ -25,7 +25,7 @@ def validate(): try: data = yaml.safe_load(request.data) except yaml.parser.ParserError: - data = json.loads(request.data.decode()) + data = json.loads(request.data.decode()) finally: if not data: raise BadRequestException(title="Invalid file format", detail="It should be a JSON or YAML file") From 0ef6cfe47313c3ce39e02d21a5072fc643e6f333 Mon Sep 17 00:00:00 2001 From: Marco Enrico Piras Date: Wed, 22 Nov 2023 11:19:16 +0100 Subject: [PATCH 3/3] refactor: clarify function implementation --- lifemonitor/schemas/controller.py | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/lifemonitor/schemas/controller.py b/lifemonitor/schemas/controller.py index 937ebaa51..54e2ef142 100644 --- a/lifemonitor/schemas/controller.py +++ b/lifemonitor/schemas/controller.py @@ -20,14 +20,27 @@ def lifemonitor_json(): def validate(): - data = None - logger.debug("Request: data", request.data) + ''' + Validates the data in the request body against the lifemonitor.json schema + :return: a JSON representation of the validation result + + :raises BadRequestException: if the data in the request body is not valid + :raises ValidationError: if the data in the request body is not valid + ''' + logger.debug("Request data: %r", request.data) + # Try to parse the data as YAML try: data = yaml.safe_load(request.data) - except yaml.parser.ParserError: - data = json.loads(request.data.decode()) - finally: - if not data: + if data is None: + raise ValueError("Data is None after YAML parsing") + except (yaml.parser.ParserError, ValueError): + try: + data = json.loads(request.data.decode()) + except json.JSONDecodeError: raise BadRequestException(title="Invalid file format", detail="It should be a JSON or YAML file") + # Check if the data is empty + if not data: + raise BadRequestException(title="Invalid file format", detail="It should be a JSON or YAML file") logger.debug("JSON data to validate: %r", data) + # Validate the data return ConfigFileValidator.validate(data).to_dict()