2768 linkrowfieldtype string values validation

2025-04-17 18:32:35 +00:00 · 2024-10-14 10:51:48 +00:00 · 2024-10-14 10:51:48 +00:00 · 98fb008f64
commit 98fb008f64
parent 56f16dd66e
4 changed files with 71 additions and 4 deletions
--- a/backend/src/baserow/contrib/database/fields/field_types.py
+++ b/backend/src/baserow/contrib/database/fields/field_types.py
@ -4,7 +4,7 @@ from abc import ABC, abstractmethod
 from collections import defaultdict
 from copy import deepcopy
 from datetime import date, datetime, timedelta, timezone
-from decimal import Decimal
+from decimal import Decimal, InvalidOperation
 from itertools import cycle
 from random import randint, randrange, sample
 from typing import TYPE_CHECKING, Any, Callable, Dict, List, Optional, Set, Tuple, Union
@ -529,7 +529,13 @@ class NumberFieldType(FieldType):

    def prepare_value_for_db(self, instance, value):
        if value is not None:
-            value = Decimal(value)
+            try:
+                value = Decimal(value)
+            except InvalidOperation:
+                raise ValidationError(
+                    f"The value for field {instance.id} is not a valid number",
+                    code="invalid",
+                )

        if value is not None and not instance.number_negative and value < 0:
            raise ValidationError(
@ -674,8 +680,14 @@ class RatingFieldType(FieldType):
        if not value:
            return 0

-        # Ensure the value is an int
-        value = int(value)
+        try:
+            # Ensure the value is an int
+            value = int(value)
+        except (ValueError, TypeError):
+            raise ValidationError(
+                f"The value for field {instance.id} is not a valid number",
+                code="invalid",
+            )

        if value < 0:
            raise ValidationError(
@ -5621,6 +5633,19 @@ class MultipleCollaboratorsFieldType(
        )

    def prepare_value_for_db(self, instance, value):
+        if not isinstance(
+            value,
+            (
+                list,
+                set,
+                tuple,
+            ),
+        ) or not all([isinstance(v, dict) for v in value]):
+            raise ValidationError(
+                f"The value for field {instance.id} is not a valid list of dictionaries",
+                code="invalid",
+            )
+
        if value is None:
            return []

--- a/backend/src/baserow/contrib/database/fields/registries.py
+++ b/backend/src/baserow/contrib/database/fields/registries.py
@ -195,6 +195,10 @@ class FieldType(
        returned value will be used. It is also possible to raise validation errors if
        the value is incorrect.

+        Note that a LinkRowFieldType may call this method internally with any value.
+        Field type should validate value's type and contents here and raise a proper
+        ValidationError.
+
        :param instance: The field instance.
        :param value: The value that needs to be inserted or updated.
        :return: The modified value that is going to be saved in the database.
--- a/backend/tests/baserow/contrib/database/field/test_field_types.py
+++ b/backend/tests/baserow/contrib/database/field/test_field_types.py
@ -874,3 +874,34 @@ def test_tsv_not_created(data_fixture):
        DeferredForeignKeyUpdater(),
    )
    assert text_field_imported.tsvector_column_created is False
+
+
+@pytest.mark.django_db
+@pytest.mark.field_link_row
+def test_field_type_prepare_db_value_with_invalid_values(data_fixture):
+    user = data_fixture.create_user()
+    database = data_fixture.create_database_application(user=user, name="Placeholder")
+    table = data_fixture.create_database_table(name="Example", database=database)
+    field_handler = FieldHandler()
+    # those fields require additional configuration or accept any text
+    # so they are not suitable for this test
+    excluded = ["ai", "text", "long_text", "boolean", "link_row", "password"]
+
+    test_payload = "invalid---"
+
+    for field_type in [
+        f
+        for f in field_type_registry.get_all()
+        if not f.read_only and f.type not in excluded
+    ]:
+        field_type_name = field_type.type
+        field_name = f"Field {field_type_name}"
+        field = field_handler.create_field(
+            user=user,
+            table=table,
+            type_name=field_type.type,
+            name=field_name,
+        )
+
+        with pytest.raises(ValidationError):
+            field_type.prepare_value_for_db(field, test_payload)
--- a/changelog/entries/unreleased/bug/2768_fieldtypeprepare_db_value_validates_arbitrary_values_in_fiel.json
+++ b/changelog/entries/unreleased/bug/2768_fieldtypeprepare_db_value_validates_arbitrary_values_in_fiel.json
@ -0,0 +1,7 @@
+{
+    "type": "bug",
+    "message": "FieldType.prepare_db_value validates arbitrary values in fields",
+    "issue_number": 2768,
+    "bullet_points": [],
+    "created_at": "2024-10-11"
+}