Skip to content

Add validation of query parameter for server requests#1230

Draft
clarasb wants to merge 7 commits into
mainfrom
clarasb/1225-logs_unknown_query_parameters
Draft

Add validation of query parameter for server requests#1230
clarasb wants to merge 7 commits into
mainfrom
clarasb/1225-logs_unknown_query_parameters

Conversation

@clarasb

@clarasb clarasb commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Summary

This PR adds validation of allowed query parameters for requests to static routes and configures the /api/viewer route to reject unknown URL query parameters.
This prevents unrelated scanner requests such as ?rest_route=/wp/v2/users/ from being served as the Viewer index.html with 200 OK.

Testing

Run the server locally:

xcube --loglevel INFO serve -c examples\serve\demo\config.yml  

In other terminal run:

curl.exe http://localhost:8080/viewer/?rest_route=/wp/v2/users/ #Windows
curl http://localhost:8080/viewer/?rest_route=/wp/v2/users/ #Linux/macOS

Closes #1225.

Checklist:

  • Add unit tests and/or doctests in docstrings
  • Add docstrings and API docs for any new/modified user-facing classes and functions
  • New/modified features documented in docs/source/*
  • Changes documented in CHANGES.md
  • GitHub CI passes
  • Test coverage remains or increases (target 100%)

@clarasb clarasb changed the title Add validation of query parameter for static routes Add validation of query parameter for server requests Jul 8, 2026
@clarasb
clarasb marked this pull request as ready for review July 9, 2026 07:34
@clarasb
clarasb requested review from TonioF and forman July 9, 2026 07:58
@codecov

codecov Bot commented Jul 9, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 87.09677% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.60%. Comparing base (8b3dc66) to head (fa2983e).

Files with missing lines Patch % Lines
xcube/server/webservers/tornado.py 85.18% 4 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1230      +/-   ##
==========================================
- Coverage   89.61%   89.60%   -0.01%     
==========================================
  Files         280      280              
  Lines       21694    21724      +30     
==========================================
+ Hits        19440    19466      +26     
- Misses       2254     2258       +4     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@forman forman left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, but please consider my suggestions. We may have to discuss this further in more detail.

Comment thread CHANGES.md Outdated
def _assert_allowed_query_params(
request: tornado.httputil.HTTPServerRequest, allowed_query_params: Sequence[str]
):
unknown_query_params = set(request.query_arguments) - set(allowed_query_params)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Query parameters should be, afaik, not case-sensitive.

Comment thread xcube/server/api.py
Comment on lines +205 to +207
allowed_query_params: Optional names of query parameters allowed
for this static route. If given, other query parameters should
be rejected by web framework implementations.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So we only protect the routes that use this argument.

This is currently only /viewer. An routes of the form /viewer/.../...? What others routes like /datasets?
Suggestion: allowed_query_params can also be a bool. If True, it can have any query params (like it is now). if False, any query parameters are forbidden. The new default would False and we need to check, which other endpoints must be protected.

Co-authored-by: Norman Fomferra <norman.fomferra@brockmann-consult.de>
@clarasb
clarasb removed the request for review from TonioF July 9, 2026 10:13
@clarasb
clarasb marked this pull request as draft July 10, 2026 10:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Review handling of unknown query parameters on /api/viewer/

2 participants