Open
Conversation
H1: Encode gene_symbol in PanelApp OntologyBuilder cache key (panel_app_ontology.py) H2: Validate gene_symbol format before cached GeneDiseaseRelationshipView response H3: Remove dead urllib.parse.quote call whose result was never assigned (views_rest.py) M2: get_from_slug raises Http404 instead of unhandled DoesNotExist -> 500 M3: Validate forwarded ontology_service against OntologyService enum in autocomplete M4: Catch ValueError from OntologyService() in ontology_term_text -> 404 M5: Narrow bare except Exception to except ValueError in get_or_stub M6: Reject inputs >200 chars in OntologyIdNormalized.normalize
davmlaw
force-pushed
the
security/ontology-fixes
branch
from
2133861 to
6bf46fd
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Applies security hardening to the
ontologyapp identified in SACGF/variantgrid_private#3824. All findings require an authenticated session — no unauthenticated exploit paths exist.panel_app_ontology.py): URL-encode gene_symbol in the PanelAppOntologyBuildercache keyviews_rest.py): Validate gene_symbol format with regex before serving/cachingGeneDiseaseRelationshipViewviews_rest.py): Remove deadurllib.parse.quotecall whose result was never assigned;requests.getparams encode automaticallymodels/models_ontology.py):get_from_slugnow raisesHttp404instead of lettingDoesNotExistpropagate as a 500views_autocomplete.py): Validate forwardedontology_serviceparam against theOntologyServiceenumviews.py): CatchValueErrorfromOntologyService()constructor inontology_term_textand raiseHttp404models/models_ontology.py): Narrow bareexcept Exception:toexcept ValueError:inget_or_stubmodels/models_ontology.py): Reject inputs over 200 chars inOntologyIdNormalized.normalizeTest plan
/ontology/term/<valid_term>/gene-list/— confirm 200/ontology/term/INVALID_SLUG/gene-list/— confirm 404 (not 500)?or/in the gene symbol — confirm 404ontology_service— confirm filtered resultsontology_service— confirm no crashontology_term_textURL with invalid service name — confirm 404 (not 500)