Merge pull request #360 from CanDIG/hotfix/escape-path

daisieh · web-flow · commit 14d252bc74df · 2025-05-21T10:27:51.000-07:00
Hotfix: make sure that the queue_id is a uuid
diff --git a/htsget_server/beacon_operations.py b/htsget_server/beacon_operations.py
@@ -319,8 +319,11 @@ def add_to_queue(ingest_json):
 
 @app.route('/beacon/v2/result/<path:queue_id>')
 def get_full_result(queue_id):
+    uuid_match = re.match(r"^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$", queue_id)
+    if uuid_match is None:
+        return {"error": f"queue_id {queue_id} is not a UUID"}
     try:
-        results_path = os.path.join(SEARCH_PATH, "results", queue_id)
+        results_path = os.path.join(SEARCH_PATH, "results", uuid_match.group(0))
         with open(results_path) as f:
             json_data = json.load(f)
             # os.remove(results_path)
diff --git a/requirements.txt b/requirements.txt
@@ -1,4 +1,4 @@
-Flask==3.1.0
+Flask==3.1.1
 Flask-Cors==5.0.0
 minio==7.2.12
 pysam==0.22.0
