From db0070f0ef2b3d909fd74536976f075026e7a77a Mon Sep 17 00:00:00 2001
From: jrybicki-jsc <j.rybicki@fz-juelich.de>
Date: Tue, 15 Jun 2021 09:51:42 +0200
Subject: [PATCH] id removed from 404 to prevent js injection

---
 apiserver/main.py                            | 5 ++---
 tests/apiserver_tests/test_responsiveness.py | 2 +-
 tests/storage_tests/test_jsonbackend.py      | 1 +
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/apiserver/main.py b/apiserver/main.py
index 3c94d01..c4c97d8 100644
--- a/apiserver/main.py
+++ b/apiserver/main.py
@@ -109,10 +109,9 @@ async def delete_specific_dataset(location_data_type: LocationDataType,
     return adapter.delete(location_data_type, dataset_id, user.username)
 
 
-
 @app.exception_handler(FileNotFoundError)
 async def not_found_handler(request: Request, ex: FileNotFoundError):
-    oid=request.path_params.get('dataset_id', '')
+    _ =request.path_params.get('dataset_id', '')
     logging.error("File not found translated %s", ex)
     return JSONResponse(status_code=status.HTTP_404_NOT_FOUND,
-                        content={'message':f"Object {oid} does not exist"})
+                        content={'message':f"Object does not exist"})
diff --git a/tests/apiserver_tests/test_responsiveness.py b/tests/apiserver_tests/test_responsiveness.py
index 621dba3..7a65933 100644
--- a/tests/apiserver_tests/test_responsiveness.py
+++ b/tests/apiserver_tests/test_responsiveness.py
@@ -42,5 +42,5 @@ class NonAuthTests(unittest.TestCase):
         self.assertEqual(404, rsp.status_code)
         j = rsp.json()
         self.assertTrue('message' in j, f"{j} should contain message")
-        self.assertTrue('foo' in j['message'], f"{j} should contain object id (foo)")
+        self.assertFalse('foo' in j['message'], f"error message should contain object id (foo)")
 
diff --git a/tests/storage_tests/test_jsonbackend.py b/tests/storage_tests/test_jsonbackend.py
index f977080..2abc405 100644
--- a/tests/storage_tests/test_jsonbackend.py
+++ b/tests/storage_tests/test_jsonbackend.py
@@ -96,6 +96,7 @@ class SomeTests(unittest.TestCase):
             details = self.store.get_details(n_type=LocationDataType.DATASET, oid='../../../tmp/hackme')
         except:
             pass 
+        
         print(details)
         self.assertIsNone(details)
 
-- 
GitLab