#681 validate name_format query parameter with regexp to prevent mali… (#682)

vktimofeev · web-flow · commit fb9a2f8cd6e8 · 2025-08-27T18:05:54.000+02:00
* #681 validate name_format query parameter with regexp to prevent malicious code injection * #681 typo corrected and ASCII quotes replaced with Unicode glyphs
diff --git a/gramps_webapi/api/resources/base.py b/gramps_webapi/api/resources/base.py
@@ -37,7 +37,7 @@
 from gramps_webapi.types import ResponseReturnValue
 
 from ...auth.const import PERM_ADD_OBJ, PERM_DEL_OBJ, PERM_EDIT_OBJ
-from ...const import GRAMPS_OBJECT_PLURAL
+from ...const import GRAMPS_OBJECT_PLURAL, NAME_FORMAT_REGEXP
 from ..auth import require_permissions
 from ..cache import request_cache_decorator
 from ..search import SearchIndexer, get_search_indexer
@@ -210,7 +210,7 @@ class GrampsObjectResource(GrampsObjectResourceHelper, Resource):
             "locale": fields.Str(
                 load_default=None, validate=validate.Length(min=1, max=5)
             ),
-            "name_format": fields.Str(validate=validate.Length(min=1)),
+            "name_format": fields.Str(validate=validate.Regexp(NAME_FORMAT_REGEXP)),
             "profile": fields.DelimitedList(
                 fields.Str(validate=validate.Length(min=1)),
                 validate=validate.ContainsOnly(
@@ -377,7 +377,7 @@ class GrampsObjectsResource(GrampsObjectResourceHelper, Resource):
             "soundex": fields.Boolean(load_default=False),
             "strip": fields.Boolean(load_default=False),
             "filemissing": fields.Boolean(load_default=False),
-            "name_format": fields.Str(validate=validate.Length(min=1)),
+            "name_format": fields.Str(validate=validate.Regexp(NAME_FORMAT_REGEXP)),
         },
         location="query",
     )
diff --git a/gramps_webapi/api/resources/timeline.py b/gramps_webapi/api/resources/timeline.py
@@ -43,6 +43,7 @@
 from . import ProtectedResource
 from .emit import GrampsJSONEncoder
 from .filters import apply_filter
+from ...const import NAME_FORMAT_REGEXP
 from .util import (
     get_person_profile_for_object,
     get_place_profile_for_object,
@@ -540,7 +541,7 @@ class PersonTimelineResource(ProtectedResource, GrampsJSONEncoder):
             "keys": fields.DelimitedList(fields.Str(validate=validate.Length(min=1))),
             "last": fields.Boolean(load_default=True),
             "locale": fields.Str(load_default=None),
-            "name_format": fields.Str(validate=validate.Length(min=1)),
+            "name_format": fields.Str(validate=validate.Regexp(NAME_FORMAT_REGEXP)),
             "offspring": fields.Integer(
                 load_default=1, validate=validate.Range(min=1, max=5)
             ),
@@ -633,7 +634,7 @@ class FamilyTimelineResource(ProtectedResource, GrampsJSONEncoder):
             "events": fields.DelimitedList(fields.Str(validate=validate.Length(min=1))),
             "keys": fields.DelimitedList(fields.Str(validate=validate.Length(min=1))),
             "locale": fields.Str(load_default=None),
-            "name_format": fields.Str(validate=validate.Length(min=1)),
+            "name_format": fields.Str(validate=validate.Regexp(NAME_FORMAT_REGEXP)),
             "page": fields.Integer(load_default=0, validate=validate.Range(min=1)),
             "pagesize": fields.Integer(load_default=20, validate=validate.Range(min=1)),
             "ratings": fields.Boolean(load_default=False),
diff --git a/gramps_webapi/const.py b/gramps_webapi/const.py
@@ -200,3 +200,6 @@
 TELEMETRY_ENDPOINT = "https://telemetry-cloud-run-442080026669.europe-west1.run.app"
 TELEMETRY_TIMESTAMP_KEY = "telemetry_last_sent"
 TELEMETRY_SERVER_ID_KEY = "telemetry_server_uuid"
+
+# Regular expression for allowed values of the `name_format` query parameter.
+NAME_FORMAT_REGEXP = r"^(%[%tTfFlLcCxXiImMyYoOrRpPqQsSnNgG]|%[0-2][mMyY]|[ \u0022\u0027,.:;\]\[\(\)\{\}\&\@])*$"
diff --git a/tests/test_endpoints/test_events.py b/tests/test_endpoints/test_events.py
@@ -782,7 +782,7 @@ def test_get_events_handle_parameter_profile_expected_result_with_name_format(se
         """Test response as expected."""
         rv = check_success(
             self,
-            TEST_URL + "a5af0eb6dd140de132c?profile=all&name_format=Given%20SURNAME",
+            TEST_URL + "a5af0eb6dd140de132c?profile=all&name_format=%25f%20%25M",
         )
         self.assertEqual(
             rv["profile"],
diff --git a/tests/test_endpoints/test_people.py b/tests/test_endpoints/test_people.py
@@ -1290,7 +1290,7 @@ def test_get_people_handle_parameter_name_format_expected_result_name_display(se
         rv = check_success(
             self,
             TEST_URL
-            + "0PWJQCZYFXOS0HGREE?profile=all&name_format=Given%20%28Common%29%20SURNAME",
+            + "0PWJQCZYFXOS0HGREE?profile=all&name_format=%25f%20%28%25x%29%20%25M",
         )
         self.assertEqual(
             rv["profile"]["name_display"], "Mary Grace Elizabeth (Mary) WARNER"

Original file line number	Diff line number	Diff line change
`@@ -782,7 +782,7 @@ def test_get_events_handle_parameter_profile_expected_result_with_name_format(se`
`782`	`782`	`"""Test response as expected."""`
`783`	`783`	`rv = check_success(`
`784`	`784`	`self,`
`785`		`- TEST_URL + "a5af0eb6dd140de132c?profile=all&name_format=Given%20SURNAME",`
	`785`	`+ TEST_URL + "a5af0eb6dd140de132c?profile=all&name_format=%25f%20%25M",`
`786`	`786`	`)`
`787`	`787`	`self.assertEqual(`
`788`	`788`	`rv["profile"],`
Original file line number	Diff line number	Diff line change
`@@ -1290,7 +1290,7 @@ def test_get_people_handle_parameter_name_format_expected_result_name_display(se`
`1290`	`1290`	`rv = check_success(`
`1291`	`1291`	`self,`
`1292`	`1292`	`TEST_URL`
`1293`		`- + "0PWJQCZYFXOS0HGREE?profile=all&name_format=Given%20%28Common%29%20SURNAME",`
	`1293`	`+ + "0PWJQCZYFXOS0HGREE?profile=all&name_format=%25f%20%28%25x%29%20%25M",`
`1294`	`1294`	`)`
`1295`	`1295`	`self.assertEqual(`
`1296`	`1296`	`rv["profile"]["name_display"], "Mary Grace Elizabeth (Mary) WARNER"`