opengis: validate indexing template to avoid later crashes (#67381)

2022-07-19 09:28:35 +02:00 · 2022-07-19 09:28:35 +02:00 · e7db96aa4f
parent ae6ad39e09
commit e7db96aa4f
3 changed files with 18 additions and 2 deletions
--- a/passerelle/apps/opengis/migrations/0012_query_indexing_template.py
+++ b/passerelle/apps/opengis/migrations/0012_query_indexing_template.py
@ -4,6 +4,8 @@ from __future__ import unicode_literals

 from django.db import migrations, models

+from passerelle.utils.templates import validate_template
+

 def create_indexing_template(apps, schema_editor):
    Query = apps.get_model('opengis', 'Query')
@ -27,6 +29,7 @@ class Migration(migrations.Migration):
            field=models.TextField(
                blank=True,
                verbose_name='Indexing template',
+                validators=[validate_template],
            ),
        ),
        migrations.RunPython(create_indexing_template, lambda x, y: None),
--- a/passerelle/apps/opengis/models.py
+++ b/passerelle/apps/opengis/models.py
@ -34,6 +34,7 @@ from passerelle.base.models import BaseQuery, BaseResource
 from passerelle.utils.api import endpoint
 from passerelle.utils.conversion import num2deg, simplify
 from passerelle.utils.jsonresponse import APIError
+from passerelle.utils.templates import validate_template


 def build_dict_from_xml(elem):
@ -491,8 +492,7 @@ class Query(BaseQuery):
    typename = models.CharField(_('Feature type'), max_length=256)
    filter_expression = models.TextField(_('XML filter'), blank=True)
    indexing_template = models.TextField(
-        verbose_name=_('Indexing template'),
-        blank=True,
+        verbose_name=_('Indexing template'), blank=True, validators=[validate_template]
    )
    computed_properties = JSONField(blank=True, default=dict)

--- a/tests/test_opengis.py
+++ b/tests/test_opengis.py
@ -1035,3 +1035,16 @@ def test_opengis_test_indexing_template_view(mocked_get, admin_user, app, connec
    resp = app.get('/manage/opengis/%s/query/%s/' % (connector.slug, query.pk))
    assert url in resp.text
    assert 'Test template' in resp.text
+
+
+def test_opengis_query_creation_validates_template(admin_user, app, connector):
+    app = login(app)
+    resp = app.get('/manage/opengis/%s/query/new/' % connector.slug)
+    resp.form['slug'] = 'foo'
+    resp.form['name'] = 'Foo Bar'
+    resp.form['typename'] = 'foo'
+    resp.form['indexing_template'] = '{% if %}'
+
+    resp = resp.form.submit()
+
+    assert 'Unexpected end of expression in if tag' in str(resp.form.html)