entrouvert
/
combo
16
1
Fork 0
Code Issues Pull Requests 11 Releases Wiki Activity

wcs: check code syntax before searching for it (#89461)
gitea/combo/pipeline/head This commit looks good Details

This commit is contained in:
Yann Weber 2024-04-11 18:12:09 +02:00
parent 46e7c037f5
commit d9b5247f44
2 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
combo/apps/wcs/views.py
View File

@ -46,6 +46,8 @@ class TrackingCodeView(View):
@classmethod
def search(cls, code, request, wcs_site=None, backoffice=False):
code = code.strip().upper()
if not re.match(r'^[BCDFGHJKLMNPQRSTVWXZ]{8}$', code):
return None
if wcs_site:
wcs_sites = [get_wcs_services().get(wcs_site)]
else:

21
tests/wcs/test_all.py
View File

@ -1430,14 +1430,14 @@ def test_tracking_code_cell(app, nocache):
cell.save()
resp = app.get('/')
resp.form['code'] = 'FOOBAR'
resp.form['code'] = 'FFQQBRRR'
with mock.patch('combo.apps.wcs.models.requests.get') as requests_get:
mock_json = mock.Mock(status_code=200)
requests_get.return_value = mock_json
resp = resp.form.submit()
assert len(requests_get.call_args_list) == 2
assert requests_get.call_args_list[0][0][0] == '/api/code/FOOBAR'
assert requests_get.call_args_list[1][0][0] == '/api/code/FOOBAR'
assert requests_get.call_args_list[0][0][0] == '/api/code/FFQQBRRR'
assert requests_get.call_args_list[1][0][0] == '/api/code/FFQQBRRR'
remote_service_urls = [c[1]['remote_service']['url'] for c in requests_get.call_args_list]
assert set(remote_service_urls) == {'http://127.0.0.1:8999/', 'http://127.0.0.2:8999/'}
assert resp.status_code == 302
@ -1450,7 +1450,7 @@ def test_tracking_code_cell(app, nocache):
mock_json = mock.Mock(status_code=200)
requests_get.return_value = mock_json
resp = resp.form.submit()
assert requests_get.call_args_list[0][0][0] == '/api/code/FOO%3FBAR%3FBAD%3CCODE%3E'
assert requests_get.called is False
assert resp.status_code == 302
resp = resp.follow()
assert '<li class="error">The tracking code could not been found.</li>' in resp.text
@ -1668,6 +1668,15 @@ def test_tracking_code_search(settings, app, nocache):
assert requests_get.call_args_list[0][0][0] == '/api/code/CNPHNTFB?backoffice=true'
@pytest.mark.parametrize('invalid_code', ('../users', 'FOOBAR', 'BBCCDDF%00'))
def test_tracking_code_search_invalid(settings, app, nocache, invalid_code):
with mock.patch('combo.apps.wcs.models.requests.get') as requests_get:
result = app.get(f'/api/search/tracking-code/?q={invalid_code}').json
assert len(result.get('data')) == 0
assert result.get('err') == 0
assert requests_get.called is False # no code
def test_tracking_code_search_rate_limit(settings, app):
settings.TEMPLATE_VARS['is_portal_agent'] = True
settings.WCS_TRACKING_CODE_RATE_LIMIT = '0/s'
@ -1679,14 +1688,14 @@ def test_tracking_code_search_rate_limit(settings, app):
cell.save()
resp = app.get('/')
resp.form['code'] = 'FOOBAR'
resp.form['code'] = 'FFQQBRRR'
resp = resp.form.submit()
assert resp.status_code == 302
resp = resp.follow()
assert '<li class="error">Looking up tracking code is currently rate limited.</li>' in resp.text
resp = app.get('/')
resp.form['code'] = 'FOOBAR'
resp.form['code'] = 'FFQQBRRR'
resp.form['url'] = 'http://example.org/'
resp = resp.form.submit(status=403)