From 5f9bc570696c6b8deb465d273bf539c92ad4afbf Mon Sep 17 00:00:00 2001 From: Arjun Satarkar Date: Fri, 4 Aug 2023 05:47:14 +0530 Subject: Do more user input validation --- serve.py | 12 +++++++++--- tagrss.py | 22 ++++++++++++++++------ 2 files changed, 25 insertions(+), 9 deletions(-) diff --git a/serve.py b/serve.py index d04509f..cec578d 100755 --- a/serve.py +++ b/serve.py @@ -210,13 +210,19 @@ def add_feed_effect(): def manage_feed_view(): try: feed_id_raw: str = bottle.request.query["feed"] # type: ignore - feed_id: int = int(feed_id_raw) except KeyError: raise bottle.HTTPError(400, "Feed ID not given.") + try: + feed_id: int = int(feed_id_raw) + except ValueError: + raise bottle.HTTPError(400, f'"{feed_id_raw}" is not a valid feed ID.') feed: dict[str, typing.Any] = {} feed["id"] = feed_id - feed["source"] = core.get_feed_source(feed_id) - feed["title"] = core.get_feed_title(feed_id) + try: + feed["source"] = core.get_feed_source(feed_id) + feed["title"] = core.get_feed_title(feed_id) + except tagrss.FeedDoesNotExistError: + raise bottle.HTTPError(404, f"No feed has ID {feed_id}.") feed["tags"] = core.get_feed_tags(feed_id) feed["serialised_tags"] = serialise_tags(feed["tags"]) return bottle.template("manage_feed", feed=feed) diff --git a/tagrss.py b/tagrss.py index 4370b7a..9c134a5 100644 --- a/tagrss.py +++ b/tagrss.py @@ -38,6 +38,10 @@ class SqliteMissingForeignKeySupportError(StorageError): pass +class FeedDoesNotExistError(StorageError): + pass + + class FeedFetchError(Exception): def __init__( self, @@ -233,15 +237,21 @@ class SqliteStorageProvider(StorageProvider): def get_feed_source(self, feed_id: FeedId) -> str: with self.__get_connection(use_transaction=False) as conn: - return conn.execute( - "SELECT source FROM feeds WHERE id = ?;", (feed_id,) - ).fetchone()[0] + try: + return conn.execute( + "SELECT source FROM feeds WHERE id = ?;", (feed_id,) + ).fetchone()[0] + except TypeError: + raise FeedDoesNotExistError def get_feed_title(self, feed_id: FeedId) -> str: with self.__get_connection(use_transaction=False) as conn: - return conn.execute( - "SELECT title FROM feeds WHERE id = ?;", (feed_id,) - ).fetchone()[0] + try: + return conn.execute( + "SELECT title FROM feeds WHERE id = ?;", (feed_id,) + ).fetchone()[0] + except TypeError: + raise FeedDoesNotExistError def get_feed_tags(self, feed_id: FeedId) -> list[str]: with self.__get_connection(use_transaction=False) as conn: -- cgit v1.2.3-57-g22cb