id removed from 404 to prevent js injection

db0070f0 · Jedrzej Rybicki · 366a57a6 · db0070f0 · db0070f0 · db0070f0
Commit db0070f0 authored 4 years ago by Jedrzej Rybicki
--- a/apiserver/main.py
+++ b/apiserver/main.py
@@ -109,10 +109,9 @@ async def delete_specific_dataset(location_data_type: LocationDataType,
    return adapter.delete(location_data_type, dataset_id, user.username)


-
 @app.exception_handler(FileNotFoundError)
 async def not_found_handler(request: Request, ex: FileNotFoundError):
-    oid=request.path_params.get('dataset_id', '')
+    _ =request.path_params.get('dataset_id', '')
    logging.error("File not found translated %s", ex)
    return JSONResponse(status_code=status.HTTP_404_NOT_FOUND,
-                        content={'message':f"Object {oid} does not exist"})
+                        content={'message':f"Object does not exist"})
--- a/tests/apiserver_tests/test_responsiveness.py
+++ b/tests/apiserver_tests/test_responsiveness.py
@@ -42,5 +42,5 @@ class NonAuthTests(unittest.TestCase):
        self.assertEqual(404, rsp.status_code)
        j = rsp.json()
        self.assertTrue('message' in j, f"{j} should contain message")
-        self.assertTrue('foo' in j['message'], f"{j} should contain object id (foo)")
+        self.assertFalse('foo' in j['message'], f"error message should contain object id (foo)")

--- a/tests/storage_tests/test_jsonbackend.py
+++ b/tests/storage_tests/test_jsonbackend.py
@@ -96,6 +96,7 @@ class SomeTests(unittest.TestCase):
            details = self.store.get_details(n_type=LocationDataType.DATASET, oid='../../../tmp/hackme')
        except:
            pass 
+        
        print(details)
        self.assertIsNone(details)