ECLK · dinukadesilva · Jul 22, 2020 · Jul 22, 2020 · Jul 22, 2020 · Jul 22, 2020
diff --git a/results-tabulation-api/api/TallySheetVersionApi/__init__.py b/results-tabulation-api/api/TallySheetVersionApi/__init__.py
@@ -5,14 +5,13 @@
 from app import db
 from auth import authorize
 from constants.AUTH_CONSTANTS import ALL_ROLES
-from exception import NotFoundException, InvalidInputException
-from exception.messages import MESSAGE_CODE_TALLY_SHEET_NOT_FOUND, MESSAGE_CODE_TALLY_SHEET_VERSION_NOT_FOUND, \
-    MESSAGE_CODE_INVALID_INPUT
+from exception import NotFoundException
+from exception.messages import MESSAGE_CODE_TALLY_SHEET_NOT_FOUND, MESSAGE_CODE_TALLY_SHEET_VERSION_NOT_FOUND
 from ext.ExtendedTallySheet import ExtendedTallySheet
 from orm.entities.Submission import TallySheet
 from orm.entities.SubmissionVersion import TallySheetVersion
 from schemas import TallySheetVersionSchema, TallySheetSchema_1
-from util import get_paginated_query, RequestBody, input_is_valid
+from util import get_paginated_query, RequestBody, validate_tally_sheet_version_request_content_special_characters
 
 
 def get_all(tallySheetId):
@@ -168,11 +167,7 @@ def create(tallySheetId, body):
     tally_sheet = TallySheet.get_by_id(tallySheetId=tallySheetId)
 
     # validate user inputs to prevent XSS attacks
-    if not input_is_valid(request_body.get("content")):
-        raise InvalidInputException(
-            message="Invalid input detected. Use of disallowed characters/invalid input length detected",
-            code=MESSAGE_CODE_INVALID_INPUT
-        )
+    validate_tally_sheet_version_request_content_special_characters(request_body.get("content"))
 
     if tally_sheet is None:
         raise NotFoundException(

diff --git a/results-tabulation-api/exception/__init__.py b/results-tabulation-api/exception/__init__.py
@@ -22,8 +22,4 @@ def InternalServerErrorException(message="", code=None):
 
 
 def NotImplementedException(message="", code=None):
-    raise ProblemException(501, "Not Implemented", message, "NotImplemented", code)
-
-
-def InvalidInputException(message="", code=None):
-    raise ProblemException(400, "Invalid Input", message, "Forbidden", code)
+    raise ProblemException(501, "Not Implemented", message, "NotImplemented", code)
diff --git a/results-tabulation-api/util/__init__.py b/results-tabulation-api/util/__init__.py
@@ -6,6 +6,8 @@
 from sqlalchemy import func
 import base64
 import numpy as np
+from exception import ForbiddenException
+from exception.messages import MESSAGE_CODE_INVALID_INPUT
 
 
 class RequestBody:
@@ -158,12 +160,15 @@ def get_sum_of_all_and_nan_otherwise(array):
     return result
 
 
-def input_is_valid(content_array):
+def validate_tally_sheet_version_request_content_special_characters(content_array):
     invalid_strings = ["'", "\"", "<", ">", "=", ",", ";"]
     for array_item in content_array:
-        for value in array_item:
-            text_value = str(array_item[value])
+        if "strValue" in array_item and array_item["strValue"] is not None:
+            text_value = str(array_item["strValue"])
             for char in invalid_strings:
                 if char in text_value or len(text_value) > 500:
-                    return False
-    return True
+                    raise ForbiddenException(
+                        message="Invalid input detected. Use of disallowed characters/invalid input length detected. " + char + " included in " + text_value,
+                        code=MESSAGE_CODE_INVALID_INPUT
+                    )
+    return True