[bitbake-devel] [PATCH 38/94] bitbake: webhob: validate inputs for build api
Alex DAMIAN
alexandru.damian at intel.com
Tue Sep 24 16:52:07 UTC 2013
From: Calin Dragomir <calinx.l.dragomir at intel.com>
This patch validates the inputs for the build api
by checking the following:
- have only one colon;
- have equal number of terms on both sides of the colon;
- left side terms must be part of the Django model fields.
Signed-off-by: Calin Dragomir <calinx.l.dragomir at intel.com>
Signed-off-by: Alexandru DAMIAN <alexandru.damian at intel.com>
---
bitbake/lib/webhob/bldviewer/views.py | 33 ++++++++++++++++++++++++++++++---
1 file changed, 30 insertions(+), 3 deletions(-)
diff --git a/bitbake/lib/webhob/bldviewer/views.py b/bitbake/lib/webhob/bldviewer/views.py
index 71e95b4..a71aebc 100644
--- a/bitbake/lib/webhob/bldviewer/views.py
+++ b/bitbake/lib/webhob/bldviewer/views.py
@@ -52,7 +52,7 @@ def layer_versions_recipes(request, layerversion_id):
import json
from django.core import serializers
-from django.http import HttpResponse
+from django.http import HttpResponse, HttpResponseBadRequest
def builds(request):
@@ -69,8 +69,13 @@ def builds(request):
except ValueError:
offset = 0
- ordering_string = request.GET.get('orderby', '')
- filter_string = request.GET.get('filter', '')
+ ordering_string, invalid = _validate_input(request.GET.get('orderby', ''))
+ if invalid:
+ return HttpResponseBadRequest()
+
+ filter_string, invalid = _validate_input(request.GET.get('filter', ''))
+ if invalid:
+ return HttpResponseBadRequest()
if filter_string:
filter_terms = _get_filtering_terms(filter_string)
@@ -111,3 +116,25 @@ def _get_filtering_terms(filter_string):
values = search_terms[1].split(',')
return dict(zip(keys, values))
+
+def _validate_input(input):
+ invalid = 0
+
+ if input:
+ input_list = input.split(":")
+
+ # Check we have only one colon
+ if len(input.split(":")) != 2:
+ invalid = 1
+
+ # Check we have an equal number of terms both sides of the colon
+ if len(input_list[0].split(',')) != len(input_list[1].split(',')):
+ invalid = 1
+
+ # Check we are looking for a valid field
+ valid_fields = Build._meta.get_all_field_names()
+ for field in input_list[0].split(','):
+ if field not in valid_fields:
+ invalid = 1
+
+ return input, invalid
--
1.8.1.2
More information about the bitbake-devel
mailing list