From c58a1ce5089a864dafc0355883a5a8905b8ec50d Mon Sep 17 00:00:00 2001 From: isgondurasa Date: Thu, 11 May 2017 16:00:03 +0300 Subject: [PATCH 1/2] xss pom escaping --- tcrudge/handlers.py | 9 +++++---- tests/test_handlers.py | 4 ++-- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/tcrudge/handlers.py b/tcrudge/handlers.py index 25ffab2..98879f0 100644 --- a/tcrudge/handlers.py +++ b/tcrudge/handlers.py @@ -609,7 +609,7 @@ async def get(self): { 'code': '', 'message': 'Bad query arguments', - 'detail': str(e) + 'detail': xhtml_escape(str(e)) } ] ) @@ -668,6 +668,7 @@ async def post(self): item = await self.model_cls._create(self.application, data) except AttributeError as e: # We can only create item if _create() model method implemented + err = xhtml_escape(str(e)) raise HTTPError( 405, body=self.get_response( @@ -675,7 +676,7 @@ async def post(self): { 'code': '', 'message': 'Method not allowed', - 'detail': str(e) + 'detail': err } ] ) @@ -785,7 +786,7 @@ async def get_item(self, item_id): { 'code': '', 'message': 'Item not found', - 'detail': str(e) + 'detail': xhtml_escape(str(e)) } ] ) @@ -834,7 +835,7 @@ async def put(self, item_id): { 'code': '', 'message': 'Method not allowed', - 'detail': str(e) + 'detail': xhtml_escape(str(e)) } ] ) diff --git a/tests/test_handlers.py b/tests/test_handlers.py index 44db4af..c648f9b 100644 --- a/tests/test_handlers.py +++ b/tests/test_handlers.py @@ -398,8 +398,8 @@ async def test_base_api_list_filter_bad_request1(http_client, base_url, url_para assert data['result'] is None assert not data['success'] assert len(data['errors']) == 1 - assert '<' in data['errors'][0]['detail'] - assert '>' in data['errors'][0]['detail'] + assert 'lt;' in data['errors'][0]['detail'] + assert 'gt;' in data['errors'][0]['detail'] @pytest.mark.gen_test From 37cd0d94e7e7460ca7e5e3153e7e5badfd987870 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=A1=D0=B2=D0=B8=D1=80=D0=B8=D0=B4=D0=BE=D0=B2=20=D0=90?= =?UTF-8?q?=D0=BD=D0=B4=D1=80=D0=B5=D0=B9=20=D0=9E=D0=BB=D0=B5=D0=B3=D0=BE?= =?UTF-8?q?=D0=B2=D0=B8=D1=87?= Date: Thu, 4 Oct 2018 17:40:35 +0300 Subject: [PATCH 2/2] added support to the latest peewee and peewee-async versions --- requirements.txt | 8 ++++---- setup.py | 5 +++-- tcrudge/handlers.py | 4 ++-- tcrudge/models.py | 2 +- tcrudge/utils/schema.py | 6 +++--- tests/test_handlers.py | 9 +++------ 6 files changed, 16 insertions(+), 18 deletions(-) diff --git a/requirements.txt b/requirements.txt index b8f5d7c..b654088 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,8 +1,8 @@ # Core -aiopg==0.10.0 -peewee==2.8.3 -peewee-async==0.5.5 -psycopg2==2.6.2 +aiopg==0.15.0 +peewee==3.7.0 +peewee-async==0.6.0a +psycopg2==2.7.5 tornado==4.4.2 jsonschema==2.5.1 msgpack-python==0.4.8 diff --git a/setup.py b/setup.py index fb1a920..af03afc 100644 --- a/setup.py +++ b/setup.py @@ -16,8 +16,9 @@ def get_long_description(f): install_requires = [ - 'peewee>=2.8.3', - 'peewee-async>=0.5.5', + 'aiopg==0.15.0' + 'peewee==3.7.0', + 'peewee-async>=0.6.0a', 'tornado>=4.4.2', 'jsonschema>=2.5.1', 'msgpack-python>=0.4.8', diff --git a/tcrudge/handlers.py b/tcrudge/handlers.py index bc5619a..299d001 100644 --- a/tcrudge/handlers.py +++ b/tcrudge/handlers.py @@ -501,11 +501,11 @@ def qs_order_by(cls, qs, value, process_value=True): if ordr[0] == '-': # DESC order fld = getattr(cls.model_cls, ordr[1:]) - qs = qs.order_by(fld.desc(), extend=True) + qs = qs.order_by(fld.desc()) else: # ASC order fld = getattr(cls.model_cls, ordr) - qs = qs.order_by(fld, extend=True) + qs = qs.order_by(fld) return qs def get_queryset(self, paginate=True): diff --git a/tcrudge/models.py b/tcrudge/models.py index 5473a17..9794ec9 100644 --- a/tcrudge/models.py +++ b/tcrudge/models.py @@ -59,7 +59,7 @@ def to_schema(cls, excluded=None): if field not in excluded: schema.add_object( { - field: type_field.get_column_type() + field: type_field.field_type } ) if not type_field.null: diff --git a/tcrudge/utils/schema.py b/tcrudge/utils/schema.py index 2146936..b6d8feb 100644 --- a/tcrudge/utils/schema.py +++ b/tcrudge/utils/schema.py @@ -17,7 +17,7 @@ } PEEWEE_TYPES = { - 'SERIAL': [ + 'AUTO': [ {"type": "integer"}, {"type": "string", "pattern": "^[+-]?[0-9]+$"}, ], @@ -27,11 +27,11 @@ 'BOOLEAN': 'boolean', 'JSONB': 'object', 'JSON': 'object', - 'INTEGER': [ + 'INT': [ {"type": "integer"}, {"type": "string", "pattern": "^[+-]?[0-9]+$"} ], - 'REAL': [ + 'FLOAT': [ {"type": "number"}, {"type": "string", "pattern": "^[+-]?([0-9]*[.])?[0-9]+$"} ], diff --git a/tests/test_handlers.py b/tests/test_handlers.py index c648f9b..bda7ec9 100644 --- a/tests/test_handlers.py +++ b/tests/test_handlers.py @@ -59,7 +59,7 @@ async def _delete(self, app): class ApiTestModelFK(BaseModel): - tf_foreign_key = peewee.ForeignKeyField(ApiTestModel, related_name='rel_items') + tf_foreign_key = peewee.ForeignKeyField(ApiTestModel, backref='rel_items') class Meta: database = db @@ -89,7 +89,7 @@ class ApiListTestHandlerPrefetch(ApiListHandler): async def serialize(self, m): result = await super(ApiListTestHandlerPrefetch, self).serialize(m) result['rel_items'] = [] - for prefetched_item in m.rel_items_prefetch: + for prefetched_item in m.rel_items: result['rel_items'].append(model_to_dict(prefetched_item, recurse=False)) return result @@ -280,10 +280,7 @@ async def test_base_api_list_head(http_client, base_url): ('tf_boolean=0', 1), ]) async def test_base_api_list_filter(http_client, base_url, url_param, cnt, monkeypatch): - monkeypatch.setattr(ApiListTestHandler, 'get_schema_input', - { - - }) + monkeypatch.setattr(ApiListTestHandler, 'get_schema_input', {}) res = await http_client.fetch(base_url + '/test/api_test_model/?%s' % url_param) assert res.code == 200