-
Improvement
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
Currently we only check if some items are present in submitted JSON (see SANITY_CHECK_KEYS list at https://github.com/metabrainz/acousticbrainz-server/blob/master/db/data.py#L16-L30 and code that uses it). However it's easy to put any value into `lowlevel`, for example. There are two problems with this:
1. High-level extractor depends on values in keys defined there.
2. It's bad to accept arbitrary data (even if it's somewhat limited). See https://www.owasp.org/index.php/Don't_trust_user_input.
We know exactly what kind of output low-level extractor produces and submits to AcousticBrainz, so it shouldn't be a problem to make sure that structure and types are correct. We can use JSON Schema for this purpose.
- has related issue
-
AB-28
Sanity check incoming Tacos
-
- Open
-
Improve validation of low-level data submissions
-
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
Currently we only check if some items are present in submitted JSON (see SANITY_CHECK_KEYS list at https://github.com/metabrainz/acousticbrainz-server/blob/master/db/data.py#L16-L30 and code that uses it). However it's easy to put any value into `lowlevel`, for example. There are two problems with this:
1. High-level extractor depends on values in keys defined there.
2. It's bad to accept arbitrary data (even if it's somewhat limited). See https://www.owasp.org/index.php/Don't_trust_user_input.
We know exactly what kind of output low-level extractor produces and submits to AcousticBrainz, so it shouldn't be a problem to make sure that structure and types are correct. We can use JSON Schema for this purpose.
- has related issue
-
AB-28
Sanity check incoming Tacos
-
- Open
-
-
Unassigned
-
Roman
- Votes:
-
0 Vote for this issue
- Watchers:
-
1 Start watching this issue
- Created:
- Updated:
| Version | Package |
|---|