From bf944381f56d63d13c52adfbfe4b351df8c3807d Mon Sep 17 00:00:00 2001 From: Mathieu Leplatre Date: Wed, 11 Dec 2024 18:37:47 +0100 Subject: [PATCH] Fix #3475: prevent malformed timestamps to reach storage queries (#3477) --- kinto/core/resource/__init__.py | 5 +++-- tests/core/resource/test_filter.py | 4 ++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/kinto/core/resource/__init__.py b/kinto/core/resource/__init__.py index f8aaa7b15..da447642e 100644 --- a/kinto/core/resource/__init__.py +++ b/kinto/core/resource/__init__.py @@ -665,7 +665,7 @@ def delete(self): obj = self._get_object_or_404(self.object_id) self._raise_412_if_modified(obj) - # Retreive the last_modified information from a querystring if present. + # Retrieve the last_modified information from a querystring if present. last_modified = self.request.validated["querystring"].get("last_modified") # If less or equal than current object. Ignore it. @@ -1060,7 +1060,8 @@ def _extract_filters(self): """Extracts filters from QueryString parameters.""" def is_valid_timestamp(value): - return isinstance(value, int) or re.match(r'^"?\d+"?$', str(value)) + # Is either integer, or integer as string, or integer between 2 quotes. + return isinstance(value, int) or re.match(r'^(\d+)$|^("\d+")$', str(value)) queryparams = self.request.validated["querystring"] diff --git a/tests/core/resource/test_filter.py b/tests/core/resource/test_filter.py index d34eb8f0a..1ccd14ac3 100644 --- a/tests/core/resource/test_filter.py +++ b/tests/core/resource/test_filter.py @@ -92,6 +92,10 @@ def test_filter_raises_error_if_last_modified_value_is_not_int(self): self.validated["querystring"] = {"lt_last_modified": bad_value} self.assertRaises(httpexceptions.HTTPBadRequest, self.resource.plural_get) + def test_filter_raises_error_if_last_modified_value_has_malformed_quotes(self): + self.validated["querystring"] = {"last_modified": '123"'} + self.assertRaises(httpexceptions.HTTPBadRequest, self.resource.plural_get) + def test_filter_works_with_since_none(self): self.validated["querystring"] = {"_since": None} result = self.resource.plural_get()