From db0070f0ef2b3d909fd74536976f075026e7a77a Mon Sep 17 00:00:00 2001 From: jrybicki-jsc <j.rybicki@fz-juelich.de> Date: Tue, 15 Jun 2021 09:51:42 +0200 Subject: [PATCH] id removed from 404 to prevent js injection --- apiserver/main.py | 5 ++--- tests/apiserver_tests/test_responsiveness.py | 2 +- tests/storage_tests/test_jsonbackend.py | 1 + 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apiserver/main.py b/apiserver/main.py index 3c94d01..c4c97d8 100644 --- a/apiserver/main.py +++ b/apiserver/main.py @@ -109,10 +109,9 @@ async def delete_specific_dataset(location_data_type: LocationDataType, return adapter.delete(location_data_type, dataset_id, user.username) - @app.exception_handler(FileNotFoundError) async def not_found_handler(request: Request, ex: FileNotFoundError): - oid=request.path_params.get('dataset_id', '') + _ =request.path_params.get('dataset_id', '') logging.error("File not found translated %s", ex) return JSONResponse(status_code=status.HTTP_404_NOT_FOUND, - content={'message':f"Object {oid} does not exist"}) + content={'message':f"Object does not exist"}) diff --git a/tests/apiserver_tests/test_responsiveness.py b/tests/apiserver_tests/test_responsiveness.py index 621dba3..7a65933 100644 --- a/tests/apiserver_tests/test_responsiveness.py +++ b/tests/apiserver_tests/test_responsiveness.py @@ -42,5 +42,5 @@ class NonAuthTests(unittest.TestCase): self.assertEqual(404, rsp.status_code) j = rsp.json() self.assertTrue('message' in j, f"{j} should contain message") - self.assertTrue('foo' in j['message'], f"{j} should contain object id (foo)") + self.assertFalse('foo' in j['message'], f"error message should contain object id (foo)") diff --git a/tests/storage_tests/test_jsonbackend.py b/tests/storage_tests/test_jsonbackend.py index f977080..2abc405 100644 --- a/tests/storage_tests/test_jsonbackend.py +++ b/tests/storage_tests/test_jsonbackend.py @@ -96,6 +96,7 @@ class SomeTests(unittest.TestCase): details = self.store.get_details(n_type=LocationDataType.DATASET, oid='../../../tmp/hackme') except: pass + print(details) self.assertIsNone(details) -- GitLab