Return error when unknown parameters are passed to API

pklimai · pklimai · commit 42d24b89610b · 2025-01-04T16:04:21.000+03:00
diff --git a/src/jvmMain/kotlin/Application.kt b/src/jvmMain/kotlin/Application.kt
@@ -277,7 +277,7 @@ fun Application.main() {
                     get("/${EVENT_ENTITY_API_NAME}") {
                         // no role checking here - any user allowed
                         val parameterBundle = ParameterBundle.buildFromCall(call, page)
-                        if (parameterBundle.hasInvalidParameters()) {
+                        if (parameterBundle.hasInvalidParameters(call, page)) {
                             call.respond(HttpStatusCode.BadRequest, "Invalid parameters detected in request")
                             return@get
                         }
@@ -329,7 +329,7 @@ fun Application.main() {
 
                     get("/${EVENT_COUNT_API_NAME}") {
                         val parameterBundle = ParameterBundle.buildFromCall(call, page)
-                        if (parameterBundle.hasInvalidParameters()) {
+                        if (parameterBundle.hasInvalidParameters(call, page)) {
                             call.respond(HttpStatusCode.BadRequest, "Invalid parameters detected in request")
                             return@get
                         }
diff --git a/src/jvmMain/kotlin/ParameterBundle.kt b/src/jvmMain/kotlin/ParameterBundle.kt
@@ -1,6 +1,7 @@
 package ru.mipt.npm.nica.ems
 
 import io.ktor.server.application.*
+import io.ktor.util.*
 
 class ParameterBundle(
     val period_number: Parameter?,
@@ -44,14 +45,41 @@ class ParameterBundle(
         }
     }
 
-    fun hasInvalidParameters(): Boolean {
-        if (period_number?.validParameter == false || run_number?.validParameter == false
-                // software_version TODO ?
-                || beam_particle?.validParameter == false || target_particle?.validParameter == false ||
-                energy?.validParameter == false || limit?.validParameter == false ||
-                offset?.validParameter == false) return true
+    fun hasInvalidParameters(call: ApplicationCall, page: PageConfig): Boolean {
+        // Note that parameter can be invalid either if its value is invalid (e.g. incorrect range),
+        // or if parameter name is just unknown
+
+        if (period_number?.validParameter == false ||
+            run_number?.validParameter == false ||
+            software_version?.validParameter == false ||
+            beam_particle?.validParameter == false ||
+            target_particle?.validParameter == false ||
+            energy?.validParameter == false ||
+            limit?.validParameter == false ||
+            offset?.validParameter == false
+        ) return true
+
         parametersSupplied.forEach { (_ /* name */, value) ->
-            if (value.validParameter == false) return true
+            if (!value.validParameter) return true
+        }
+
+        val allowedPageParameters =
+            page.parameters.map { it.name } +
+                    listOf(
+                        periodConfig.name,
+                        runConfig.name,
+                        softwareConfig.name,
+                        beamParticleConfig.name,
+                        targetParticleConfig.name,
+                        energyConfig.name,
+                        limitConfig.name,
+                        offsetConfig.name
+                    )
+
+        for (param in call.parameters.toMap().keys) {
+            if (param !in allowedPageParameters) {
+                return true
+            }
         }
         return false
     }
diff --git a/src/jvmTest/kotlin/TestREST.kt b/src/jvmTest/kotlin/TestREST.kt
@@ -405,11 +405,31 @@ class RestApiTest {
                 contentType(ContentType.Application.Json)
             }
             eventsArray = gson.fromJson(response.bodyAsText(), EventListRepr::class.java)
+            println(response.status)
+            println(response.bodyAsText())
             assert(event1 in eventsArray.events)
             assert(event1_mod_event_num in eventsArray.events)
             assertFalse(event2 in eventsArray.events)
             assertFalse(event3 in eventsArray.events)
 
+            println("************************************************************")
+            println("Doing incorrect filtering expression")
+            response = authenticatedClient().get("$BASE_URL/event?period_number=$PERIOD&run_number=$RUN&track_number=|") {
+                contentType(ContentType.Application.Json)
+            }
+            println(response.status)
+            println(response.bodyAsText())
+            assertEquals(response.status, HttpStatusCode.BadRequest)
+
+            println("************************************************************")
+            println("Doing filtering with unknown parameter")
+            response = authenticatedClient().get("$BASE_URL/event?period_number=$PERIOD&run_number=$RUN&unknown_param=90") {
+                contentType(ContentType.Application.Json)
+            }
+            println(response.status)
+            println(response.bodyAsText())
+            assertEquals(response.status, HttpStatusCode.BadRequest)
+
             println("************************************************************")
             println("Delete events")
             response = authenticatedClient().delete("$BASE_URL/event") {
