cal/major-domo-database
1
0
Fork 0
Code Issues 25 Pull Requests 25 Actions Packages Projects Releases Wiki Activity

Validate sort_by parameter against allowed field names in views.py #36

New Issue
Closed
opened 2026-02-20 06:51:00 +00:00 by cal · 1 comment
cal commented 2026-02-20 06:51:00 +00:00
Owner
Copy Link

app/routers_v3/views.py:27 — The sort_by parameter is passed to getattr(SeasonBattingStats, stat, ...). Any arbitrary string can be passed. Should be a Literal type of allowed stat column names.

Priority: medium | Labels: security, enhancement

`app/routers_v3/views.py:27` — The `sort_by` parameter is passed to `getattr(SeasonBattingStats, stat, ...)`. Any arbitrary string can be passed. Should be a `Literal` type of allowed stat column names. **Priority**: medium | **Labels**: security, enhancement
cal added the
ai-working
 label 2026-03-05 17:01:27 +00:00
cal removed the
ai-working
 label 2026-03-05 17:03:45 +00:00
cal commented 2026-03-05 17:03:49 +00:00
Author
Owner
Copy Link

Fixed in PR #44: #44

Changed sort_by: str to sort_by: Literal[...] in both get_season_batting_stats and get_season_pitching_stats. FastAPI will now reject arbitrary strings with a 422 before they reach the getattr call. Allowed values were derived directly from the column fields defined on SeasonBattingStats and SeasonPitchingStats in db_engine.py.

Fixed in PR #44: https://git.manticorum.com/cal/major-domo-database/pulls/44 Changed `sort_by: str` to `sort_by: Literal[...]` in both `get_season_batting_stats` and `get_season_pitching_stats`. FastAPI will now reject arbitrary strings with a 422 before they reach the `getattr` call. Allowed values were derived directly from the column fields defined on `SeasonBattingStats` and `SeasonPitchingStats` in `db_engine.py`.
cal added the
ai-pr-opened
 label 2026-03-05 17:03:52 +00:00
cal closed this issue 2026-03-10 18:26:21 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
ai-changes-requested

   
ai-pr-opened

   
ai-reviewed

   
ai-reviewing

   
ai-reviewing

   
ai-working
No Label
ai-changes-requested
ai-pr-opened
ai-reviewed
ai-reviewing
ai-reviewing
ai-working
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: cal/major-domo-database#36
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?