Merge branch 'master' into pr-osparc-long-running-redis-cleanup

Author: GitHK

.github/workflows/ci-testing-deploy.yml

@@ -1810,7 +1810,7 @@ jobs:
         with:
           python-version: ${{ matrix.python }}
           cache-dependency-glob: "**/e2e/requirements/requirements.txt"
-      - uses: actions/setup-node@v5.0.0
+      - uses: actions/setup-node@v6.0.0
         with:
           node-version: ${{ matrix.node }}
           cache: "npm"

.github/workflows/codeql-analysis.yml

@@ -29,10 +29,10 @@ jobs:
         uses: actions/checkout@v5
 
       - name: Initialize CodeQL tools for scanning
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql/codeql-config.yml
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4

packages/models-library/VERSION

@@ -1 +1 @@
-0.2.0
+0.3.0

packages/models-library/setup.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.2.0
+current_version = 0.3.0
 commit = True
 message = packages/models-library version: {current_version} → {new_version}
 tag = False
@@ -16,10 +16,10 @@ test = pytest
 [tool:pytest]
 asyncio_mode = auto
 asyncio_default_fixture_loop_scope = function
-markers =
+markers = 
 	diagnostics: "can be used to run diagnostics against deployed data (e.g. database, registry etc)"
 	testit: "marks test to run during development"
 
 [mypy]
-plugins =
+plugins = 
 	pydantic.mypy

packages/models-library/src/models_library/api_schemas_webserver/folders_v2.py

@@ -1,10 +1,10 @@
 from datetime import datetime
 from typing import Annotated, Self
 
+from models_library.string_types import DisplaySafeStr
 from pydantic import ConfigDict, Field, field_validator
 
 from ..access_rights import AccessRights
-from ..basic_types import IDStr
 from ..folders import FolderDB, FolderID
 from ..groups import GroupID
 from ..utils.common_validators import null_or_none_str_to_none_validator
@@ -53,7 +53,7 @@ def from_domain_model(
 
 
 class FolderCreateBodyParams(InputSchema):
-    name: IDStr
+    name: DisplaySafeStr
     parent_folder_id: FolderID | None = None
     workspace_id: WorkspaceID | None = None
     model_config = ConfigDict(extra="forbid")
@@ -68,7 +68,7 @@ class FolderCreateBodyParams(InputSchema):
 
 
 class FolderReplaceBodyParams(InputSchema):
-    name: IDStr
+    name: DisplaySafeStr
     parent_folder_id: FolderID | None = None
     model_config = ConfigDict(extra="forbid")
 

packages/models-library/src/models_library/api_schemas_webserver/groups.py

@@ -3,6 +3,7 @@
 
 from common_library.basic_types import DEFAULT_FACTORY
 from common_library.dict_tools import remap_keys
+from models_library.string_types import DescriptionSafeStr, NameSafeStr
 from pydantic import (
     AnyHttpUrl,
     AnyUrl,
@@ -27,7 +28,7 @@
     StandardGroupCreate,
     StandardGroupUpdate,
 )
-from ..users import UserID, UserNameID
+from ..users import UserID, UserNameID, UserNameSafeID
 from ..utils.common_validators import create__check_only_one_is_set__root_validator
 from ._base import InputSchema, OutputSchema, OutputSchemaWithoutCamelCase
 
@@ -155,8 +156,8 @@ def _update_json_schema_extra(schema: JsonDict) -> None:
 
 
 class GroupCreate(InputSchema):
-    label: str
-    description: str
+    label: NameSafeStr
+    description: DescriptionSafeStr
     thumbnail: AnyUrl | None = None
 
     def to_domain_model(self) -> StandardGroupCreate:
@@ -173,8 +174,8 @@ def to_domain_model(self) -> StandardGroupCreate:
 
 
 class GroupUpdate(InputSchema):
-    label: str | None = None
-    description: str | None = None
+    label: NameSafeStr | None = None
+    description: DescriptionSafeStr | None = None
     thumbnail: AnyUrl | None = None
 
     def to_domain_model(self) -> StandardGroupUpdate:
@@ -373,7 +374,7 @@ class GroupUserAdd(InputSchema):
     """
 
     uid: UserID | None = None
-    user_name: Annotated[UserNameID | None, Field(alias="userName")] = None
+    user_name: Annotated[UserNameSafeID | None, Field(alias="userName")] = None
     email: Annotated[
         LowerCaseEmailStr | None,
         Field(

packages/models-library/src/models_library/api_schemas_webserver/projects.py

@@ -22,7 +22,6 @@
 from pydantic.config import JsonDict
 
 from ..api_schemas_long_running_tasks.tasks import TaskGet
-from ..basic_types import LongTruncatedStr, ShortTruncatedStr
 from ..emails import LowerCaseEmailStr
 from ..folders import FolderID
 from ..groups import GroupID
@@ -41,6 +40,7 @@
     ProjectShareStatus,
     ProjectStateRunningState,
 )
+from ..string_types import LongTruncatedStr, ShortTruncatedStr
 from ..utils._original_fastapi_encoders import jsonable_encoder
 from ..utils.common_validators import (
     empty_str_to_none_pre_validator,

packages/models-library/src/models_library/api_schemas_webserver/users.py

@@ -1,7 +1,7 @@
 import re
 from datetime import date, datetime
 from enum import Enum
-from typing import Annotated, Any, Literal, Self, TypeAlias
+from typing import Annotated, Any, Literal, Self
 
 import annotated_types
 from common_library.basic_types import DEFAULT_FACTORY
@@ -11,11 +11,11 @@
 from models_library.rest_filters import Filters
 from models_library.rest_pagination import PageQueryParameters
 from pydantic import (
+    AfterValidator,
     BaseModel,
     ConfigDict,
     EmailStr,
     Field,
-    StringConstraints,
     ValidationInfo,
     field_validator,
     model_validator,
@@ -27,12 +27,18 @@
 from ..groups import AccessRightsDict, Group, GroupID, GroupsByTypeTuple, PrimaryGroupID
 from ..products import ProductName
 from ..rest_base import RequestParameters
+from ..string_types import (
+    GlobPatternSafeStr,
+    SearchPatternSafeStr,
+    validate_input_xss_safety,
+)
 from ..users import (
     FirstNameStr,
     LastNameStr,
     MyProfile,
     UserID,
     UserNameID,
+    UserNameSafeID,
     UserPermission,
     UserThirdPartyToken,
 )
@@ -201,10 +207,21 @@ def from_domain_model(
         )
 
 
+FirstNameSafeStr = Annotated[
+    FirstNameStr,
+    AfterValidator(validate_input_xss_safety),
+]
+
+LastNameSafeStr = Annotated[
+    LastNameStr,
+    AfterValidator(validate_input_xss_safety),
+]
+
+
 class MyProfileRestPatch(InputSchemaWithoutCamelCase):
-    first_name: FirstNameStr | None = None
-    last_name: LastNameStr | None = None
-    user_name: Annotated[IDStr | None, Field(alias="userName", min_length=4)] = None
+    first_name: FirstNameSafeStr | None = None
+    last_name: LastNameSafeStr | None = None
+    user_name: Annotated[UserNameSafeID | None, Field(alias="userName")] = None
     # NOTE: phone is updated via a dedicated endpoint!
 
     privacy: MyProfilePrivacyPatch | None = None
@@ -262,8 +279,7 @@ class UsersGetParams(RequestParameters):
 
 class UsersSearch(InputSchema):
     match_: Annotated[
-        str,
-        StringConstraints(strip_whitespace=True, min_length=1, max_length=80),
+        SearchPatternSafeStr,
         Field(
             description="Search string to match with usernames and public profiles (e.g. emails, first/last name)",
             alias="match",
@@ -314,17 +330,9 @@ class UserAccountReject(InputSchema):
     email: EmailStr
 
 
-GlobString: TypeAlias = Annotated[
-    str,
-    StringConstraints(
-        min_length=3, max_length=200, strip_whitespace=True, pattern=r"^[^%]*$"
-    ),
-]
-
-
 class UserAccountSearchQueryParams(RequestParameters):
     email: Annotated[
-        GlobString | None,
+        GlobPatternSafeStr | None,
         Field(
             description="complete or glob pattern for an email",
         ),
@@ -336,7 +344,7 @@ class UserAccountSearchQueryParams(RequestParameters):
         ),
     ] = None
     user_name: Annotated[
-        GlobString | None,
+        GlobPatternSafeStr | None,
         Field(
             description="complete or glob pattern for a username",
         ),

packages/models-library/src/models_library/basic_types.py

@@ -14,7 +14,6 @@
     SIMPLE_VERSION_RE,
     UUID_RE,
 )
-from .utils.common_validators import trim_string_before
 
 assert issubclass(LogLevel, Enum)  # nosec
 assert issubclass(BootModeEnum, Enum)  # nosec
@@ -151,38 +150,6 @@ def concatenate(*args: "IDStr", link_char: str = " ") -> "IDStr":
         return IDStr(result)
 
 
-_SHORT_TRUNCATED_STR_MAX_LENGTH: Final[int] = 600
-ShortTruncatedStr: TypeAlias = Annotated[
-    str,
-    StringConstraints(strip_whitespace=True),
-    trim_string_before(max_length=_SHORT_TRUNCATED_STR_MAX_LENGTH),
-    annotated_types.doc(
-        """
-        A truncated string used to input e.g. titles or display names.
-        Strips whitespaces and truncate strings that exceed the specified characters limit (curtail_length).
-        Ensures that the **input** data length to the API is controlled and prevents exceeding large inputs silently,
-        i.e. without raising errors.
-        """
-        # SEE https://github.com/ITISFoundation/osparc-simcore/pull/5989#discussion_r1650506583
-    ),
-]
-
-_LONG_TRUNCATED_STR_MAX_LENGTH: Final[int] = 65536  # same as github description
-LongTruncatedStr: TypeAlias = Annotated[
-    str,
-    StringConstraints(strip_whitespace=True),
-    trim_string_before(max_length=_LONG_TRUNCATED_STR_MAX_LENGTH),
-    annotated_types.doc(
-        """
-        A truncated string used to input e.g. descriptions or summaries.
-        Strips whitespaces and truncate strings that exceed the specified characters limit (curtail_length).
-        Ensures that the **input** data length to the API is controlled and prevents exceeding large inputs silently,
-        i.e. without raising errors.
-        """
-    ),
-]
-
-
 # auto-incremented primary-key IDs
 IdInt: TypeAlias = PositiveInt
 PrimaryKeyInt: TypeAlias = PositiveInt