NotificationsYou must be signed in to change notification settings
Fork95
Star70

Allow additional characters in query validation#1267

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

Merged

arkid15r merged 3 commits intoOWASP:mainfromNaveen-Pal:fix-validation-rule

Apr 2, 2025

Merged

Allow additional characters in query validation#1267

arkid15r merged 3 commits intoOWASP:mainfromNaveen-Pal:fix-validation-rule

Apr 2, 2025

Conversation

Copy link

Collaborator

Naveen-Pal commentedApr 2, 2025

Resolves#1257

Allowed Strings

.,-, (space),/w -> any word character (including Unicode letters, numbers, and underscores)

Invalid strings:

which include special Characters -> !, @, #, $, %, ^, &, *, (, ), +, =, {, }, [, ], |, , :, ;, ", ', <, >, ?, /, `, ~

allow additional characters in query validation

8a286d7

Naveen-Pal requested a review fromarkid15r as acode owner

April 2, 2025 11:21

Copy link

Contributor

coderabbitaibot commentedApr 2, 2025•
edited
Loading

Summary by CodeRabbit

New Features
- Enhanced query input flexibility to accept a broader range of characters, providing more versatile search options.
Tests
- Expanded testing to cover new query scenarios, including inputs with international characters.

Walkthrough

This pull request updates the query validation logic by modifying the regular expression in thevalidate_query function to accept a broader range of characters. The new regex^[\w .-]*$ now permits periods and word characters, in addition to the originally allowed alphanumeric characters, hyphens, underscores, and spaces. Additionally, the test suite has been updated with a new case including a non-ASCII character to ensure robust validation of diverse query inputs.

Changes

Files	Change Summary
backend/apps/core/validators.py	Updated regex in the`validate_query` function from`^[a-zA-Z0-9-_ ]$` to`^[\w .-]$` to include periods and a wider set of word characters
backend/tests/apps/core/validators_test.py	Updated`test_valid_query` method to include an additional valid query string`"ç_query.valid"` for testing queries with non-ASCII characters

Assessment against linked issues

Objective	Addressed	Explanation
Fix community member search workflow (#1257)	✅

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between8a286d7 anda182826.

📒 Files selected for processing (1)

backend/tests/apps/core/validators_test.py (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

backend/tests/apps/core/validators_test.py

⏰ Context from checks skipped due to timeout of 90000ms (4)

GitHub Check: Run frontend e2e tests
GitHub Check: Run frontend unit tests
GitHub Check: Run backend tests
GitHub Check: CodeQL (javascript-typescript)

🪧 Tips

Chat

There are 3 ways to chat withCodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Generate unit testing code for this file.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag@coderabbitai in a new review comment at the desired location with your query. Examples:
- @coderabbitai generate unit testing code for this file.
- @coderabbitai modularize this function.
PR comments: Tag@coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read src/utils.ts and generate unit testing code.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
- @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

@coderabbitai pause to pause the reviews on a PR.
@coderabbitai resume to resume the paused reviews.
@coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
@coderabbitai full review to do a full review from scratch and review all the files again.
@coderabbitai summary to regenerate the summary of the PR.
@coderabbitai generate docstrings togenerate docstrings for this PR.
@coderabbitai resolve resolve all the CodeRabbit review comments.
@coderabbitai plan to trigger planning for file edits and PR creation.
@coderabbitai configuration to show the current CodeRabbit configuration for the repository.
@coderabbitai help to get help.

Other keywords and placeholders

Add@coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add@coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add@coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

Visit ourDocumentation for detailed information on how to use CodeRabbit.
Join ourDiscord Community to get help, request features, and share feedback.
Follow us onX/Twitter for updates and announcements.

github-actionsbot added backend backend-tests labels

Apr 2, 2025

coderabbitaibot reviewed

Apr 2, 2025

View reviewed changes

Copy link

Contributor

coderabbitaibot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Actionable comments posted: 0

🔭 Outside diff range comments (1)

backend/apps/core/validators.py (1)
90-95:🛠️ Refactor suggestion
Update the error message to match the new validation pattern.
The regex pattern has been properly updated to^[\w .-]*$ to allow word characters, spaces, periods, and hyphens. However, the error message still only mentions "alphanumeric characters, hyphens, spaces, and underscores" without including periods (.) and the fact that word characters now include Unicode letters (non-ASCII characters).
    if not re.match(r"^[\w .-]*$", query):        message = (            "Invalid query value provided. "-           "Only alphanumeric characters, hyphens, spaces, and underscores are allowed."+           "Only word characters (letters, numbers, underscores), periods, hyphens, and spaces are allowed."        )        raise ValidationError(message)

🧹 Nitpick comments (2)

backend/tests/apps/core/validators_test.py (2)
98-98:Good test case addition for non-ASCII characters and periods.
The addition of the test case"çal Q. query" properly validates that the new regex pattern accepts non-ASCII characters (ç) and periods (.).
Consider expanding the test coverage by adding dedicated test cases intest_invalid_query for some of the specific invalid characters mentioned in the PR objectives (e.g.,!,@,#, etc.) to ensure they're properly rejected.
78-94:Enhance invalid query test coverage.
The current test suite only verifies that queries with exclamation marks (!) are rejected. Since the PR defines several invalid characters, it would be beneficial to add more test cases to ensure all specified invalid characters are properly rejected.
Consider adding more parameterized test cases totest_invalid_query to validate that queries containing other specified invalid characters (e.g.,@,#,$, etc.) are also rejected correctly.
    @pytest.mark.parametrize(        ("query", "error_message"),        [            (5, "query must be a string."),            (                "query!name",                (                    "Invalid query value provided. "                    "Only alphanumeric characters, hyphens, spaces, and underscores are allowed."                ),            ),+           (+               "query@name",+               (+                   "Invalid query value provided. "+                   "Only alphanumeric characters, hyphens, spaces, and underscores are allowed."+               ),+           ),+           (+               "query#name",+               (+                   "Invalid query value provided. "+                   "Only alphanumeric characters, hyphens, spaces, and underscores are allowed."+               ),+           ),+           # Add more invalid characters as needed        ],    )