#156 fix ValueError for not int to proper ValidationError

ephes · Jun 27, 2024 · 656c167 · 656c167
1 parent 0a7470c
commit 656c167
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 1 deletion.
diff --git a/cast/views/gallery.py b/cast/views/gallery.py
@@ -3,6 +3,7 @@
 from django import forms
 from django.http import HttpResponse
 from django.shortcuts import render
+from django.utils.translation import gettext_lazy as _
 from django.views.decorators.http import require_GET
 from wagtail.images.models import Image
 
@@ -14,7 +15,10 @@ class CommaSeparatedIntegerField(forms.Field):
     def to_python(self, value: Any | None) -> list[int]:  # Any | None from super -> do not override
         if value is None or not value.strip():
             return []
-        return [int(item.strip()) for item in value.split(",")]
+        try:
+            return [int(item.strip()) for item in value.split(",")]  # image_pks
+        except ValueError:
+            raise forms.ValidationError(_("Enter a list of image ids."))
 
 
 class GalleryModalForm(forms.Form):

diff --git a/docs/releases/0.2.35.rst b/docs/releases/0.2.35.rst
@@ -10,3 +10,4 @@
 - #153 JavaScript dependency updates and new bundle
 - #154 Output all relative file paths + file contents to be able to pass it to the llm command
 - #155 Update theme endpoint breaks on integer json payloads
+- #156 Image IDs for galleries have to be integer
diff --git a/tests/gallery_views_test.py b/tests/gallery_views_test.py
@@ -32,6 +32,13 @@ def test_gallery_modal_form_image_pks_empty():
     assert form.errors["image_pks"][0] == "This field is required."
 
 
+def test_gallery_modal_form_malicious_input():
+    data = {"current_image_pk": 4, "image_pks": "1,2,3,if(now()=sysdate()", "block_id": "block_id"}
+    form = GalleryModalForm(data)
+    assert not form.is_valid()
+    assert form.errors["image_pks"][0] == "Enter a list of image ids."
+
+
 @pytest.mark.parametrize(
     "current_image_pk,image_pks,expected_prev_next",
     [