fix: validate channel_id as UUID before querying in remove_self

ashnaaseth2325-oss · bjester · commit 6d791dfbbea7 · 2026-06-10T12:50:33.000-07:00
diff --git a/contentcuration/contentcuration/viewsets/user.py b/contentcuration/contentcuration/viewsets/user.py
@@ -51,7 +51,7 @@
 from contentcuration.viewsets.sync.constants import DELETED
 from contentcuration.viewsets.sync.constants import EDITOR_M2M
 from contentcuration.viewsets.sync.constants import VIEWER_M2M
-
+import uuid
 
 logger = logging.getLogger(__name__)
 
@@ -341,6 +341,10 @@ def remove_self(self, request, pk=None):
 
         if not channel_id:
             return HttpResponseBadRequest("Channel ID is required.")
+        try:
+            uuid.UUID(channel_id)
+        except ValueError:
+            return HttpResponseBadRequest("Invalid channel ID")
 
         try:
             channel = Channel.objects.get(id=channel_id)
