Merge pull request #254 from asherpasha/dev

Input validation - fastpheno.

Author: asherpasha

api/resources/fastpheno.py

@@ -4,6 +4,8 @@
 Fastpheno endpoint for retrieving tree data
 """
 
+import re
+
 from flask_restx import Namespace, Resource
 from api import db
 from api.models.fastpheno import Sites, Trees, Band, Height
@@ -26,6 +28,16 @@ def get(self, site, month, band):
         month = escape(month)
         band = escape(band)
 
+        # Validate input
+        if not re.search(r"^[a-z]{1,15}$", site, re.I):
+            return BARUtils.error_exit("Invalid site name"), 400
+
+        if not re.search(r"^[a-z]{1,4}$", month, re.I):
+            return BARUtils.error_exit("Invalid month"), 400
+
+        if not re.search(r"^band_\d{1,8}$", band, re.I):
+            return BARUtils.error_exit("Invalid band"), 400
+
         rows = db.session.execute(
             db.select(Sites, Trees, Height, Band)
             .select_from(Sites)
@@ -67,6 +79,10 @@ def get(self, genotype_id):
         # Escape input data
         genotype_id = escape(genotype_id).capitalize()
 
+        # Validate input
+        if not re.search(r"^[a-z]{1,3}$", genotype_id, re.I):
+            return BARUtils.error_exit("Invalid genotype id"), 400
+
         rows = db.session.execute(
             db.select(Sites, Trees)
             .select_from(Sites)

requirements.txt

@@ -1,14 +1,14 @@
 aniso8601==10.0.0
 async-timeout==5.0.1
-attrs==24.3.0
+attrs==25.1.0
 black==24.10.0
 blinker==1.9.0
 cachelib==0.9.0
 certifi==2024.12.14
 charset-normalizer==3.4.1
 click==8.1.8
 coverage==7.6.10
-Deprecated==1.2.15
+Deprecated==1.2.18
 flake8==7.1.1
 Flask==3.1.0
 Flask-Caching==2.3.0
@@ -28,7 +28,7 @@ jsonschema-specifications==2024.10.1
 limits==4.0.1
 markdown-it-py==3.0.0
 MarkupSafe==3.0.2
-marshmallow==3.25.1
+marshmallow==3.26.0
 mccabe==0.7.0
 mdurl==0.1.2
 mypy-extensions==1.0.0
@@ -46,7 +46,7 @@ pytest==8.3.4
 python-dateutil==2.9.0.post0
 pytz==2024.2
 redis==5.2.1
-referencing==0.36.1
+referencing==0.36.2
 requests==2.32.3
 rich==13.9.4
 rpds-py==0.22.3

tests/resources/test_fastpheno.py

@@ -52,6 +52,30 @@ def test_bands(self):
         }
         self.assertEqual(response.json, expected)
 
+        # Invalid site
+        response = self.app_client.get("/fastpheno/get_bands/12345/feb/band_1")
+        expected = {
+            "wasSuccessful": False,
+            "error": "Invalid site name",
+        }
+        self.assertEqual(response.json, expected)
+
+        # Invalid month
+        response = self.app_client.get("/fastpheno/get_bands/pintendre/1234/band_1")
+        expected = {
+            "wasSuccessful": False,
+            "error": "Invalid month",
+        }
+        self.assertEqual(response.json, expected)
+
+        # Invalid band
+        response = self.app_client.get("/fastpheno/get_bands/NOTASITE/feb/band_x")
+        expected = {
+            "wasSuccessful": False,
+            "error": "Invalid band",
+        }
+        self.assertEqual(response.json, expected)
+
     def test_site_genotype_ids(self):
         """This function checks GET request for fastpheno sites for genotype_ids
         :return:
@@ -92,9 +116,17 @@ def test_site_genotype_ids(self):
         self.assertEqual(response.json, expected)
 
         # Not working version
-        response = self.app_client.get("/fastpheno/get_trees/NOTAGENOTYPE")
+        response = self.app_client.get("/fastpheno/get_trees/Z")
         expected = {
             "wasSuccessful": False,
             "error": "There are no data found for the given parameters",
         }
         self.assertEqual(response.json, expected)
+
+        # Invalid data
+        response = self.app_client.get("/fastpheno/get_trees/NOTVALID")
+        expected = {
+            "wasSuccessful": False,
+            "error": "Invalid genotype id",
+        }
+        self.assertEqual(response.json, expected)