Validate the ecosystem used in queries

Partially addresses google#892
andrewpollock · Jul 21, 2023 · c9b6bf5 · c9b6bf5
1 parent edb93e1
commit c9b6bf5
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/gcp/api/server.py b/gcp/api/server.py
@@ -435,6 +435,13 @@ def determine_version(version_query: osv_service_v1_pb2.VersionQuery,
                                         len(version_query.file_hashes))
 
 
+@ndb.tasklet
+def valid_ecosystems():
+  """Return the list of ecosystems considered valid."""
+  query = osv.Bug.query(project=[osv.Bug.ecosystem], distinct=True)
+  return [bug.ecosystems[0] for bug in query if bug.ecosystem]
+
+
 @ndb.tasklet
 def do_query(query, context: QueryContext, include_details=True):
   """Do a query."""
@@ -447,6 +454,10 @@ def do_query(query, context: QueryContext, include_details=True):
     ecosystem = ''
     purl_str = ''
 
+  if ecosystem and ecosystem not in valid_ecosystems():
+    context.service_context.abort(grpc.StatusCode.INVALID_ARGUMENT,
+                                  'Invalid ecosystem.')
+
   purl = None
   purl_version = None
   if purl_str: