validate that callback request "outputs" field matches callback

Author: alexcjohnson

dash/_validate.py

@@ -111,6 +111,26 @@ def validate_id_string(arg):
         )
 
 
+def validate_output_spec(output, output_spec, Output):
+    """
+    This validation is for security and internal debugging, not for users,
+    so the messages are not intended to be clear.
+    `output` comes from the callback definition, `output_spec` from the request.
+    """
+    if not isinstance(output, (list, tuple)):
+        output, output_spec = [output], [output_spec]
+    elif len(output) != len(output_spec):
+        raise exceptions.CallbackException("Wrong length output_spec")
+
+    for outi, speci in zip(output, output_spec):
+        speci_list = speci if isinstance(speci, (list, tuple)) else [speci]
+        for specij in speci_list:
+            if Output(specij["id"], specij["property"]) != outi:
+                raise exceptions.CallbackException(
+                    "Output does not match callback definition"
+                )
+
+
 def validate_multi_return(outputs_list, output_value, callback_id):
     if not isinstance(output_value, (list, tuple)):
         raise exceptions.InvalidCallbackReturnValue(

dash/dash.py

@@ -27,7 +27,7 @@
 
 from .fingerprint import build_fingerprint, check_fingerprint
 from .resources import Scripts, Css
-from .dependencies import handle_callback_args
+from .dependencies import handle_callback_args, Output
 from .development.base_component import ComponentRegistry
 from .exceptions import PreventUpdate, InvalidResourceError, ProxyError
 from .version import __version__
@@ -1004,6 +1004,7 @@ def wrap_func(func):
             @wraps(func)
             def add_context(*args, **kwargs):
                 output_spec = kwargs.pop("outputs_list")
+                _validate.validate_output_spec(output, output_spec, Output)
 
                 # don't touch the comment on the next line - used by debugger
                 output_value = func(*args, **kwargs)  # %% callback invoked %%

tests/integration/callbacks/test_malformed_request.py

@@ -0,0 +1,59 @@
+import requests
+
+
+import dash_core_components as dcc
+import dash_html_components as html
+import dash
+from dash.dependencies import Input, Output
+
+
+def test_cbmf001_bad_output_outputs(dash_thread_server):
+    app = dash.Dash(__name__)
+    app.layout = html.Div(
+        [
+            dcc.Input(id="i", value="initial value"),
+            html.Div(html.Div([1.5, None, "string", html.Div(id="o1")])),
+        ]
+    )
+
+    @app.callback(Output("o1", "children"), [Input("i", "value")])
+    def update_output(value):
+        return value
+
+    dash_thread_server(app)
+
+    # first a good request
+    response = requests.post(
+        dash_thread_server.url + "/_dash-update-component",
+        json=dict(
+            output="o1.children",
+            outputs={"id": "o1", "property": "children"},
+            inputs=[{"id": "i", "property": "value", "value": 9}],
+            changedPropIds=["i.value"],
+        ),
+    )
+    assert response.status_code == 200
+    assert '"o1": {"children": 9}' in response.text
+
+    # now some bad ones
+    outspecs = [
+        {"output": "o1.nope", "outputs": {"id": "o1", "property": "nope"}},
+        {"output": "o1.children", "outputs": {"id": "o1", "property": "nope"}},
+        {"output": "o1.nope", "outputs": {"id": "o1", "property": "children"}},
+        {"output": "o1.children", "outputs": {"id": "nope", "property": "children"}},
+        {"output": "nope.children", "outputs": {"id": "nope", "property": "children"}},
+    ]
+    for outspeci in outspecs:
+        response = requests.post(
+            dash_thread_server.url + "/_dash-update-component",
+            json=dict(
+                inputs=[{"id": "i", "property": "value", "value": 9}],
+                changedPropIds=["i.value"],
+                **outspeci
+            ),
+        )
+        assert response.status_code == 500
+        assert "o1" not in response.text
+        assert "children" not in response.text
+        assert "nope" not in response.text
+        assert "500 Internal Server Error" in response.text