diff --git a/results-tabulation-api/api/TallySheetVersionApi/__init__.py b/results-tabulation-api/api/TallySheetVersionApi/__init__.py index ab6776b0..a2d2e939 100644 --- a/results-tabulation-api/api/TallySheetVersionApi/__init__.py +++ b/results-tabulation-api/api/TallySheetVersionApi/__init__.py @@ -5,14 +5,13 @@ from app import db from auth import authorize from constants.AUTH_CONSTANTS import ALL_ROLES -from exception import NotFoundException, InvalidInputException -from exception.messages import MESSAGE_CODE_TALLY_SHEET_NOT_FOUND, MESSAGE_CODE_TALLY_SHEET_VERSION_NOT_FOUND, \ - MESSAGE_CODE_INVALID_INPUT +from exception import NotFoundException +from exception.messages import MESSAGE_CODE_TALLY_SHEET_NOT_FOUND, MESSAGE_CODE_TALLY_SHEET_VERSION_NOT_FOUND from ext.ExtendedTallySheet import ExtendedTallySheet from orm.entities.Submission import TallySheet from orm.entities.SubmissionVersion import TallySheetVersion from schemas import TallySheetVersionSchema, TallySheetSchema_1 -from util import get_paginated_query, RequestBody, input_is_valid +from util import get_paginated_query, RequestBody, validate_tally_sheet_version_request_content_special_characters def get_all(tallySheetId): @@ -168,11 +167,7 @@ def create(tallySheetId, body): tally_sheet = TallySheet.get_by_id(tallySheetId=tallySheetId) # validate user inputs to prevent XSS attacks - if not input_is_valid(request_body.get("content")): - raise InvalidInputException( - message="Invalid input detected. Use of disallowed characters/invalid input length detected", - code=MESSAGE_CODE_INVALID_INPUT - ) + validate_tally_sheet_version_request_content_special_characters(request_body.get("content")) if tally_sheet is None: raise NotFoundException( diff --git a/results-tabulation-api/exception/__init__.py b/results-tabulation-api/exception/__init__.py index b1529b81..4e18ff10 100644 --- a/results-tabulation-api/exception/__init__.py +++ b/results-tabulation-api/exception/__init__.py @@ -22,8 +22,4 @@ def InternalServerErrorException(message="", code=None): def NotImplementedException(message="", code=None): - raise ProblemException(501, "Not Implemented", message, "NotImplemented", code) - - -def InvalidInputException(message="", code=None): - raise ProblemException(400, "Invalid Input", message, "Forbidden", code) + raise ProblemException(501, "Not Implemented", message, "NotImplemented", code) \ No newline at end of file diff --git a/results-tabulation-api/util/__init__.py b/results-tabulation-api/util/__init__.py index 4e76f8c0..bee6600c 100644 --- a/results-tabulation-api/util/__init__.py +++ b/results-tabulation-api/util/__init__.py @@ -6,6 +6,8 @@ from sqlalchemy import func import base64 import numpy as np +from exception import ForbiddenException +from exception.messages import MESSAGE_CODE_INVALID_INPUT class RequestBody: @@ -158,12 +160,15 @@ def get_sum_of_all_and_nan_otherwise(array): return result -def input_is_valid(content_array): +def validate_tally_sheet_version_request_content_special_characters(content_array): invalid_strings = ["'", "\"", "<", ">", "=", ",", ";"] for array_item in content_array: - for value in array_item: - text_value = str(array_item[value]) + if "strValue" in array_item and array_item["strValue"] is not None: + text_value = str(array_item["strValue"]) for char in invalid_strings: if char in text_value or len(text_value) > 500: - return False - return True \ No newline at end of file + raise ForbiddenException( + message="Invalid input detected. Use of disallowed characters/invalid input length detected. " + char + " included in " + text_value, + code=MESSAGE_CODE_INVALID_INPUT + ) + return True