FWF-4209: [Bugfix] Handle formio keyword in path validation

AOT-Technologies · Jan 20, 2025 · dfd0725 · dfd0725
1 parent 7d3fdb8
commit dfd0725
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 0 deletions.
diff --git a/forms-flow-api/src/formsflow_api/constants/__init__.py b/forms-flow-api/src/formsflow_api/constants/__init__.py
@@ -127,6 +127,10 @@ class BusinessErrorCode(ErrorCodeMixin, Enum):
         "Invalid response received from admin service",
         HTTPStatus.BAD_REQUEST,
     )
+    INVALID_PATH = (
+        "The path must not contain: exists, export, role, current, logout, import, form, access, token, recaptcha or end with submission/action.",  # pylint: disable=line-too-long
+        HTTPStatus.BAD_REQUEST,
+    )
 
     def __new__(cls, message, status_code):
         """Constructor."""

diff --git a/forms-flow-api/src/formsflow_api/services/form_process_mapper.py b/forms-flow-api/src/formsflow_api/services/form_process_mapper.py
@@ -756,6 +756,8 @@ def validate_title_name_path(cls, title: str, path: str, name: str):
             "name": "Name: Only contain alphanumeric characters, hyphens(not at the start or end), no spaces,"
             "and must include at least one letter.",
         }
+        # Validate path has reserved keywords
+        FormProcessMapperService.vaidate_path(path)
 
         # Validate title
         if title and not cls.is_valid_field(title, title_pattern):
@@ -792,6 +794,35 @@ def validate_form_title(cls, title, exclude_id=None):
             raise BusinessException(BusinessErrorCode.FORM_EXISTS)
         return True
 
+    @staticmethod
+    def vaidate_path(path):
+        """Validate path with formio resevered keywords."""
+        # Keywords that are invalid as standalone input
+        restricted_keywords = {
+            "exists",
+            "export",
+            "role",
+            "current",
+            "logout",
+            "import",
+            "form",
+            "access",
+            "token",
+            "recaptcha",
+        }
+
+        # Forbidden end keywords
+        forbidden_end_keywords = {"submission", "action"}
+
+        if (
+            path in restricted_keywords
+            or path
+            and any(path.endswith(keyword) for keyword in forbidden_end_keywords)
+        ):
+            raise BusinessException(BusinessErrorCode.INVALID_PATH)
+
+        return True
+
     @staticmethod
     @user_context
     def validate_form_name_path_title(request, **kwargs):
@@ -813,6 +844,11 @@ def validate_form_name_path_title(request, **kwargs):
         if title and len(title) > 200:
             raise BusinessException(BusinessErrorCode.INVALID_FORM_TITLE_LENGTH)
 
+        # In case of new form creation, title alone passed form UI
+        # Trim space & validate path
+        if not parent_form_id and title:
+            path = title.replace(" ", "")
+
         FormProcessMapperService.validate_title_name_path(title, path, name)
 
         if current_app.config.get("MULTI_TENANCY_ENABLED"):