From f5c414656f38d7c5aa168b20d544c7fc0af1f940 Mon Sep 17 00:00:00 2001 From: Laurent LAPORTE <43534797+laurent-laporte-pro@users.noreply.github.com> Date: Tue, 9 Jan 2024 13:41:35 +0100 Subject: [PATCH] fix(ci): avoid reflecting user-controlled data (SonarCloud issue) (#1886) --- antarest/study/web/study_data_blueprint.py | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/antarest/study/web/study_data_blueprint.py b/antarest/study/web/study_data_blueprint.py index 440539a4ab..d45d4bb709 100644 --- a/antarest/study/web/study_data_blueprint.py +++ b/antarest/study/web/study_data_blueprint.py @@ -3,13 +3,14 @@ from typing import Any, Dict, List, Optional, Sequence, Union, cast from fastapi import APIRouter, Body, Depends -from fastapi.params import Body, Query +from fastapi.params import Query from starlette.responses import RedirectResponse from antarest.core.config import Config from antarest.core.jwt import JWTUser from antarest.core.model import StudyPermissionType from antarest.core.requests import RequestParameters +from antarest.core.utils.utils import sanitize_uuid from antarest.core.utils.web import APITag from antarest.login.auth import Auth from antarest.matrixstore.matrix_editor import MatrixEditInstruction @@ -24,8 +25,8 @@ RenewableClusterInput, RenewableClusterOutput, ) -from antarest.study.business.areas.st_storage_management import * -from antarest.study.business.areas.thermal_management import * +from antarest.study.business.areas.st_storage_management import * # noqa +from antarest.study.business.areas.thermal_management import * # noqa from antarest.study.business.binding_constraint_management import ( BindingConstraintPropertiesWithName, ConstraintTermDTO, @@ -42,6 +43,7 @@ from antarest.study.business.timeseries_config_management import TSFormFields from antarest.study.model import PatchArea, PatchCluster from antarest.study.service import StudyService +from antarest.study.storage.rawstudy.model.filesystem.config.model import transform_name_to_id logger = logging.getLogger(__name__) @@ -199,6 +201,8 @@ def delete_area( extra={"user": current_user.id}, ) params = RequestParameters(user=current_user) + uuid = sanitize_uuid(uuid) + area_id = transform_name_to_id(area_id) study_service.delete_area(uuid, area_id, params) return area_id @@ -219,6 +223,8 @@ def delete_link( extra={"user": current_user.id}, ) params = RequestParameters(user=current_user) + area_from = transform_name_to_id(area_from) + area_to = transform_name_to_id(area_to) study_service.delete_link(uuid, area_from, area_to, params) return f"{area_from}%{area_to}"