Security fixes for ontology app SACGF/variantgrid_private#3824

H1: Encode gene_symbol in PanelApp OntologyBuilder cache key (panel_app_ontology.py)
H2: Validate gene_symbol format before cached GeneDiseaseRelationshipView response
H3: Remove dead urllib.parse.quote call whose result was never assigned (views_rest.py)
M2: get_from_slug raises Http404 instead of unhandled DoesNotExist -> 500
M3: Validate forwarded ontology_service against OntologyService enum in autocomplete
M4: Catch ValueError from OntologyService() in ontology_term_text -> 404
M5: Narrow bare except Exception to except ValueError in get_or_stub
M6: Reject inputs >200 chars in OntologyIdNormalized.normalize

Author: davmlaw

ontology/models/models_ontology.py

@@ -16,6 +16,7 @@
 from django.contrib.postgres.fields import ArrayField
 from django.db import models, connection
 from django.db.models import PROTECT, CASCADE, QuerySet, Q, Max, TextChoices
+from django.http import Http404
 from django.urls import reverse
 from model_utils.models import TimeStampedModel, now
 from psqlextra.models import PostgresPartitionedModel
@@ -288,6 +289,8 @@ def num_part_safe(self) -> int:
 
     @staticmethod
     def normalize(dirty_id: str) -> 'OntologyIdNormalized':
+        if len(dirty_id) > 200:
+            raise ValueError(f"Input too long ({len(dirty_id)} chars) to normalize as an ontology ID")
         parts = re.split("[:|_]", dirty_id)
         if len(parts) != 2:
             raise ValueError(f"Can not convert {dirty_id} to a proper id")
@@ -431,7 +434,10 @@ def url_safe_id(self):
     @staticmethod
     def get_from_slug(slug_pk):
         pk = slug_pk.replace("_", ":")
-        return OntologyTerm.objects.get(pk=pk)
+        try:
+            return OntologyTerm.objects.get(pk=pk)
+        except OntologyTerm.DoesNotExist:
+            raise Http404
 
     @staticmethod
     def get_gene_symbol(gene_symbol: Union[str, GeneSymbol]) -> 'OntologyTerm':
@@ -507,7 +513,7 @@ def get_or_stub(id_str: Union[str, OntologyIdNormalized]) -> 'OntologyTerm':
                 return existing
             try:
                 index_num_part_value = normal_id.num_part
-            except Exception:
+            except ValueError:
                 index_num_part_value = normal_id.num_part_safe  # Ontologies like MedGen can have alpha characters in the "index", providing an index of 0 until we update the model
             return OntologyTerm(
                 id=normal_id.full_id,

ontology/panel_app_ontology.py

@@ -1,4 +1,5 @@
 import re
+import urllib.parse
 from collections import defaultdict
 from dataclasses import dataclass
 from datetime import timedelta
@@ -90,7 +91,7 @@ def is_empty_results(data: Any):
     try:
         hgnc_term = OntologyTerm.get_gene_symbol(gene_symbol)
         panel_app = PanelAppServer.australia_instance()
-        filename = panel_app.url + PANEL_APP_SEARCH_BY_GENES_BASE_PATH + gene_symbol
+        filename = panel_app.url + PANEL_APP_SEARCH_BY_GENES_BASE_PATH + urllib.parse.quote(gene_symbol, safe="")
         ontology_builder = OntologyBuilder(filename=filename, context=str(gene_symbol),
                                            import_source=OntologyImportSource.PANEL_APP_AU,
                                            processor_version=PANEL_APP_API_PROCESSOR_VERSION,

ontology/views.py

@@ -1,4 +1,5 @@
 from django.contrib import messages
+from django.http import Http404
 from django.shortcuts import get_object_or_404, redirect
 from django.views.generic import TemplateView
 
@@ -11,7 +12,10 @@
 
 def ontology_term_text(request, ontology_service, name):
     """ Occasionally we have service + name but not the ID - this is a way of building an URL for that """
-    ontology_service = OntologyService(ontology_service)  # Ensure valid
+    try:
+        ontology_service = OntologyService(ontology_service)
+    except ValueError:
+        raise Http404
     term = get_object_or_404(OntologyTerm, name=name, ontology_service=ontology_service)
     return redirect(term)
 

ontology/views_autocomplete.py

@@ -46,7 +46,13 @@ def get_user_queryset(self, user):
 class OntologyTermAutocompleteView(AbstractOntologyTermAutocompleteView):
     def _get_ontology_service(self):
         # Passed ontology_service in forward
-        return self.forwarded.get('ontology_service')
+        value = self.forwarded.get('ontology_service')
+        if value is None:
+            return None
+        try:
+            return OntologyService(value)
+        except ValueError:
+            return None
 
 
 @method_decorator(cache_page(HOUR_SECS), name='dispatch')

ontology/views_rest.py

@@ -1,5 +1,6 @@
-import urllib
+import re
 
+from django.http import Http404
 from django.utils.decorators import method_decorator
 from django.views.decorators.cache import cache_page
 from rest_framework.response import Response
@@ -14,14 +15,15 @@
 from ontology.ontology_matching import OntologyMatching
 from ontology.serializers import OntologyTermRelationSerializer
 
+_GENE_SYMBOL_RE = re.compile(r'^[A-Za-z0-9\-]+$')
+
 
 class SearchMondoText(APIView):
     def get(self, request, **kwargs) -> Response:
 
         search_term = request.GET.get('search_term') or ''
         gene_symbol = request.GET.get('gene_symbol')
 
-        urllib.parse.quote(search_term).replace('/', '%252F')  # a regular escape / gets confused for a URL divider
         selected = [term.strip() for term in (request.GET.get('selected') or '').split(",") if term.strip()]
 
         ontology_matches = OntologyMatching.from_search(search_text=search_term, gene_symbol=gene_symbol, selected=selected)
@@ -58,8 +60,11 @@ def get(self, request, *args, **kwargs):
 @method_decorator(cache_page(WEEK_SECS), name='get')
 class GeneDiseaseRelationshipView(APIView):
     def get(self, request, *args, **kwargs):
+        gene_symbol = self.kwargs['gene_symbol']
+        if not _GENE_SYMBOL_RE.match(gene_symbol):
+            raise Http404
         data = []
         ontology_version = OntologyVersion.latest()
-        for otr in ontology_version.gene_disease_relations(self.kwargs['gene_symbol'], quality_filter=ONTOLOGY_RELATIONSHIP_MEDIUM_QUALITY_FILTER):
+        for otr in ontology_version.gene_disease_relations(gene_symbol, quality_filter=ONTOLOGY_RELATIONSHIP_MEDIUM_QUALITY_FILTER):
             data.append(OntologyTermRelationSerializer(otr).data)
         return Response(data)