From 6480dbce57f60f4a7a608bec5995a3a7dbd10ef8 Mon Sep 17 00:00:00 2001 From: Sietse Snel Date: Mon, 6 May 2024 15:14:54 +0200 Subject: [PATCH] YDA-5696: harden rule_revision_batch - Ensure it can only be started by rodsadmin users - Validate balance ID and batch size parameters --- revisions.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/revisions.py b/revisions.py index d449caf87..cf9af5a05 100644 --- a/revisions.py +++ b/revisions.py @@ -318,6 +318,8 @@ def rule_revision_batch(ctx, verbose, balance_id_min, balance_id_max, batch_size :param balance_id_max: Maximum balance id for batch jobs (value 1-64) :param batch_size_limit: Maximum number of items to be processed within one batch :param dry_run: When '1' do not actually create revisions, only log what would have been created + + :raises Exception: If one of the parameters is invalid """ count = 0 count_ok = 0 @@ -328,6 +330,17 @@ def rule_revision_batch(ctx, verbose, balance_id_min, balance_id_max, batch_size attr = constants.UUORGMETADATAPREFIX + "revision_scheduled" errorattr = constants.UUORGMETADATAPREFIX + "revision_failed" + if user.user_type(ctx) != 'rodsadmin': + log.write(ctx, "The revision creation job can only be started by a rodsadmin user.") + return + + if not (batch_size_limit.isdigit() and int(batch_size_limit) > 0): + raise Exception("Batch size limit is invalid. It needs to be a positive integer.") + + if not ((balance_id_min.isdigit() and int(balance_id_min) >= 1 and int(balance_id_min) <= 64) + and (balance_id_max.isdigit() and int(balance_id_max) >= 1 and int(balance_id_max) <= 64)): + raise Exception("Balance ID is invalid. The balance IDs need to be integers between 1 and 64.") + # Stop further execution if admin has blocked revision process. if is_revision_blocked_by_admin(ctx): log.write(ctx, "Batch revision job is stopped")