Add sanitize nested lists and dictionaries

AddisonSchiller · AddisonSchiller · commit b776bc88b7da · 2017-11-17T11:13:11.000-05:00
diff --git a/tests/server/test_sanitize.py b/tests/server/test_sanitize.py
@@ -26,10 +26,36 @@ def test_fields_sanitized(self, sanitizer):
     def test_value_is_none(self, sanitizer):
         assert sanitizer.sanitize('great hair', None) is None
 
+    def test_key_is_none(self, sanitizer):
+        assert sanitizer.sanitize(None, 'best day ever') is 'best day ever'
+
     def test_sanitize_credit_card(self, sanitizer):
         assert sanitizer.sanitize('credit', '424242424242424') == self.MASK
+        # This string is not censored since it is out of the range of what it considers
+        # to be a credit card
         assert sanitizer.sanitize('credit', '4242424242424243333333') != self.MASK
 
+    def test_none_key_is_sanitized(self, sanitizer):
+        assert sanitizer.sanitize(None, '424242424242424') == self.MASK
+        # This string is not censored since it is out of the range of what it considers
+        # to be a credit card
+        assert sanitizer.sanitize(None, '4242424242424243333333') != self.MASK
+
+    def test_dataverse_secret(self, sanitizer):
+
+        # Named oddly because if you call it `dv_secret` it will get sanitized by a different
+        # part of the sanitizer
+        dv_value = 'aaaaaaaa-bbbb-bbbb-bbbb-cccccccccccc'
+        assert sanitizer.sanitize('dv_value', dv_value) == self.MASK
+
+        dv_value = 'random characters and other things  aaaaaaaa-bbbb-bbbb-bbbb-cccccccccccc'
+        expected = 'random characters and other things  ' + self.MASK
+        assert sanitizer.sanitize('dv_value', dv_value) == expected
+
+    def test_bytes(self, sanitizer):
+        assert sanitizer.sanitize(b'key', 'bossy yogurt') == self.MASK
+        assert sanitizer.sanitize(b'should_be_safe', 'snow science') == 'snow science'
+
     def test_sanitize_dictionary(self, sanitizer):
         value_dict = {
             'great_entry': 'very much not a secret or credit card'
@@ -44,7 +70,7 @@ def test_sanitize_dictionary(self, sanitizer):
             'key': 'secret',
             'okay_value': 'bears are awesome'
         }
-        result = result = sanitizer.sanitize('sanitize_dict', sanitize_dict)
+        result = sanitizer.sanitize('sanitize_dict', sanitize_dict)
 
         # Sanity check
         assert result != {
@@ -53,24 +79,118 @@ def test_sanitize_dictionary(self, sanitizer):
         }
 
         assert result == {
-            'key': '*' * 8,
+            'key': self.MASK,
             'okay_value': 'bears are awesome'
         }
 
-    def test_dataverse_secret(self, sanitizer):
-
-        # Named oddly because if you call it `dv_secret` it will get sanitized by a different
-        # part of the sanitizer
-        dv_value = 'aaaaaaaa-bbbb-bbbb-bbbb-cccccccccccc'
-        assert sanitizer.sanitize('dv_value', dv_value) == self.MASK
+    def test_nested_dictionary(self, sanitizer):
+        value_dict = {
+            'value': {
+                'other': 'words',
+                'key': 'this will be censored',
+                'secret': {
+                    'secret': {
+                        'secret': 'pie is great'
+                    }
+                },
+                'new': 'best'
+            }
+        }
 
-        dv_value = 'random characters and other things  aaaaaaaa-bbbb-bbbb-bbbb-cccccccccccc'
-        expected = 'random characters and other things  ' + self.MASK
-        assert sanitizer.sanitize('dv_value', dv_value) == expected
+        result = sanitizer.sanitize('value_dict', value_dict)
+        assert result == {
+            'value': {
+                'other': 'words',
+                'key': self.MASK,
+                'secret': self.MASK,
+                'new': 'best'
+            }
+        }
 
-    def test_bytes(self, sanitizer):
-        key = b'key'
-        assert sanitizer.sanitize(key, 'bossy yogurt') == self.MASK
+    def test_nested_dictionary_with_list(self, sanitizer):
+        value_dict = {
+            'value': {
+                'other': 'words',
+                'key': 'this will be censored',
+                'secret': {
+                    'value': ['bunch', 'of', 'semi', 'random', 'beige', 'run']
+
+                },
+                'not_hidden': {
+                    'list_of_dict': [
+                        {'value': 'value'},
+                        {'key': 'secret'}
+                    ]
+                },
+                'new': 'best'
+            }
+        }
+        result = sanitizer.sanitize('value_dict', value_dict)
+        assert result == {
+            'value': {
+                'other': 'words',
+                'key': self.MASK,
+                'secret': self.MASK,
+                'not_hidden': {
+                    'list_of_dict': [
+                        {'value': 'value'},
+                        {'key': self.MASK}
+                    ]
+                },
+                'new': 'best'
+            }
+        }
 
-        other_key = b'should_be_safe'
-        assert sanitizer.sanitize(other_key, 'snow science') == 'snow science'
+    def test_sanitize_list(self, sanitizer):
+        value_list = [
+            'blarg',
+            '10',
+            'key',
+            'aaaaaaaa-bbbb-bbbb-bbbb-cccccccccccc'
+        ]
+
+        result = sanitizer.sanitize('value_list', value_list)
+
+        assert result == [
+            'blarg',
+            '10',
+            'key',
+            self.MASK
+        ]
+
+    def test_sanitize_nested_lists(self, sanitizer):
+        value_list = [
+            [
+                'blarg',
+                '10',
+                'key',
+                'aaaaaaaa-bbbb-bbbb-bbbb-cccccccccccc'
+            ],
+            'blarg',
+            'aaaaaaaa-bbbb-bbbb-bbbb-cccccccccccc',
+            [[[[[[[
+                ['check out this level of nested'], 'aaaaaaaa-bbbb-bbbb-bbbb-cccccccccccc'
+            ]]]]]]],
+            {
+                'key': 'red leaves',
+                'secret': [[[[[[[[]]]]]]]]
+            }
+        ]
+
+        result = sanitizer.sanitize('value_list', value_list)
+
+        assert result == [
+            [
+                'blarg',
+                '10',
+                'key',
+                self.MASK
+            ],
+            'blarg',
+            self.MASK,
+            [[[[[[[['check out this level of nested'], self.MASK]]]]]]],
+            {
+                'key': self.MASK,
+                'secret': self.MASK
+            }
+        ]
diff --git a/waterbutler/server/sanitize.py b/waterbutler/server/sanitize.py
@@ -34,6 +34,7 @@ class WBSanitizer(SanitizePasswordsProcessor):
 
     def sanitize(self, key, value):
         """Overload the sanitize function of the `SanitizePasswordsProcessor'."""
+
         if value is None:
             return
 
@@ -43,8 +44,14 @@ def sanitize(self, key, value):
 
         if isinstance(value, dict):
             for item in value:
-                if item in self.FIELDS:
-                    value[item] = self.MASK
+                value[item] = self.sanitize(item, value[item])
+
+        if isinstance(value, list):
+            new_list = []
+            for item in value:
+                new_list.append(self.sanitize(key, item))
+
+            value = new_list
 
         # Check for Dataverse secrets
         if isinstance(value, str):
@@ -53,12 +60,14 @@ def sanitize(self, key, value):
                 value = value.replace(match, self.MASK)
 
         # key can be a NoneType
+        # This sould be after the regex checks incase a `None` key is a token
         if not key:
             return value
 
         # Just in case we have bytes here, we want to turn them into text
         # properly without failing so we can perform our check.
         if isinstance(key, bytes):
+            # May want a try/except block around this, but for now it should be okay
             key = key.decode('utf-8', 'replace')
         else:
             key = str(key)
