From c9b6bf5486d5777e306329ad546d7a77d375afbf Mon Sep 17 00:00:00 2001
From: Andrew Pollock <apollock@google.com>
Date: Fri, 21 Jul 2023 17:17:16 +1000
Subject: [PATCH] Validate the ecosystem used in queries

Partially addresses #892
---
 gcp/api/server.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/gcp/api/server.py b/gcp/api/server.py
index 7fa2ed1bc43..18d3bf423e8 100644
--- a/gcp/api/server.py
+++ b/gcp/api/server.py
@@ -435,6 +435,13 @@ def determine_version(version_query: osv_service_v1_pb2.VersionQuery,
                                         len(version_query.file_hashes))
 
 
+@ndb.tasklet
+def valid_ecosystems():
+  """Return the list of ecosystems considered valid."""
+  query = osv.Bug.query(project=[osv.Bug.ecosystem], distinct=True)
+  return [bug.ecosystems[0] for bug in query if bug.ecosystem]
+
+
 @ndb.tasklet
 def do_query(query, context: QueryContext, include_details=True):
   """Do a query."""
@@ -447,6 +454,10 @@ def do_query(query, context: QueryContext, include_details=True):
     ecosystem = ''
     purl_str = ''
 
+  if ecosystem and ecosystem not in valid_ecosystems():
+    context.service_context.abort(grpc.StatusCode.INVALID_ARGUMENT,
+                                  'Invalid ecosystem.')
+
   purl = None
   purl_version = None
   if purl_str: