Skip to content

Commit 2263f44

Browse files
author
noel-enquanta
committed
URL-encode user_id, group_id, lang, sub_account_api_key in path params
Defense in depth: VoiceIt IDs are structured (usr_*, grp_*, key_*), but never trusting that callers won't pass arbitrary characters means '/' or '?' in an ID can no longer change the endpoint or inject query parameters.
1 parent 3529f46 commit 2263f44

File tree

1 file changed

+14
-14
lines changed

1 file changed

+14
-14
lines changed

voiceit3/voiceit3.py

Lines changed: 14 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44

55
class VoiceIt3:
66
base_url = ''
7-
version = '3.0.4'
7+
version = '3.0.5'
88
voiceit_basic_auth_credentials = ''
99
notification_url = ''
1010

@@ -28,7 +28,7 @@ def get_all_users(self):
2828

2929
def get_phrases(self, lang):
3030
try:
31-
response = requests.get(self.base_url + '/phrases/' + str(lang) + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
31+
response = requests.get(self.base_url + '/phrases/' + urllib.parse.quote(str(lang), safe="") + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
3232
return response.json()
3333
except requests.exceptions.HTTPError as e:
3434
return e.read()
@@ -69,35 +69,35 @@ def create_managed_sub_account(self, firstName, lastName, email, password, lang)
6969

7070
def regenerate_sub_account_api_token(self, sub_account_api_key):
7171
try:
72-
response = requests.post(self.base_url + '/subaccount/' + str(sub_account_api_key) + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
72+
response = requests.post(self.base_url + '/subaccount/' + urllib.parse.quote(str(sub_account_api_key), safe="") + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
7373
return response.json()
7474
except requests.exceptions.HTTPError as e:
7575
return e.read()
7676

7777
def delete_sub_account(self, sub_account_api_key):
7878
try:
79-
response = requests.delete(self.base_url + '/subaccount/' + str(sub_account_api_key) + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
79+
response = requests.delete(self.base_url + '/subaccount/' + urllib.parse.quote(str(sub_account_api_key), safe="") + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
8080
return response.json()
8181
except requests.exceptions.HTTPError as e:
8282
return e.read()
8383

8484
def check_user_exists(self, user_id):
8585
try:
86-
response = requests.get(self.base_url + '/users/' + str(user_id) + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
86+
response = requests.get(self.base_url + '/users/' + urllib.parse.quote(str(user_id), safe="") + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
8787
return response.json()
8888
except requests.exceptions.HTTPError as e:
8989
return e.read()
9090

9191
def delete_user(self, user_id):
9292
try:
93-
response = requests.delete(self.base_url + '/users/' + str(user_id) + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
93+
response = requests.delete(self.base_url + '/users/' + urllib.parse.quote(str(user_id), safe="") + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
9494
return response.json()
9595
except requests.exceptions.HTTPError as e:
9696
return e.read()
9797

9898
def get_groups_for_user(self, user_id):
9999
try:
100-
response = requests.get(self.base_url + '/users/' + str(user_id) + '/groups' + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
100+
response = requests.get(self.base_url + '/users/' + urllib.parse.quote(str(user_id), safe="") + '/groups' + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
101101
return response.json()
102102
except requests.exceptions.HTTPError as e:
103103
return e.read()
@@ -111,14 +111,14 @@ def get_all_groups(self):
111111

112112
def get_group(self, group_id):
113113
try:
114-
response = requests.get(self.base_url + '/groups/' + str(group_id) + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
114+
response = requests.get(self.base_url + '/groups/' + urllib.parse.quote(str(group_id), safe="") + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
115115
return response.json()
116116
except requests.exceptions.HTTPError as e:
117117
return e.read()
118118

119119
def group_exists(self, group_id):
120120
try:
121-
response = requests.get(self.base_url + '/groups/' + str(group_id) + '/exists' + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
121+
response = requests.get(self.base_url + '/groups/' + urllib.parse.quote(str(group_id), safe="") + '/exists' + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
122122
return response.json()
123123
except requests.exceptions.HTTPError as e:
124124
return e.read()
@@ -154,28 +154,28 @@ def remove_user_from_group(self, group_id, user_id):
154154

155155
def delete_group(self, group_id):
156156
try:
157-
response = requests.delete(self.base_url + '/groups/' + str(group_id) + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
157+
response = requests.delete(self.base_url + '/groups/' + urllib.parse.quote(str(group_id), safe="") + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
158158
return response.json()
159159
except requests.exceptions.HTTPError as e:
160160
return e.read()
161161

162162
def get_all_face_enrollments(self, user_id):
163163
try:
164-
response = requests.get(self.base_url + '/enrollments/face/' + str(user_id) + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
164+
response = requests.get(self.base_url + '/enrollments/face/' + urllib.parse.quote(str(user_id), safe="") + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
165165
return response.json()
166166
except requests.exceptions.HTTPError as e:
167167
return e.read()
168168

169169
def get_all_voice_enrollments(self, user_id):
170170
try:
171-
response = requests.get(self.base_url + '/enrollments/voice/' + str(user_id) + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
171+
response = requests.get(self.base_url + '/enrollments/voice/' + urllib.parse.quote(str(user_id), safe="") + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
172172
return response.json()
173173
except requests.exceptions.HTTPError as e:
174174
return e.read()
175175

176176
def get_all_video_enrollments(self, user_id):
177177
try:
178-
response = requests.get(self.base_url + '/enrollments/video/' + str(user_id) + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
178+
response = requests.get(self.base_url + '/enrollments/video/' + urllib.parse.quote(str(user_id), safe="") + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
179179
return response.json()
180180
except requests.exceptions.HTTPError as e:
181181
return e.read()
@@ -274,7 +274,7 @@ def create_video_enrollment_by_url(self, user_id, lang, phrase, file_Url):
274274

275275
def delete_all_enrollments(self, user_id):
276276
try:
277-
response = requests.delete(self.base_url + '/enrollments/' + str(user_id) + '/all' + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
277+
response = requests.delete(self.base_url + '/enrollments/' + urllib.parse.quote(str(user_id), safe="") + '/all' + self.notification_url, auth=self.voiceit_basic_auth_credentials, headers=self.headers)
278278
return response.json()
279279
except requests.exceptions.HTTPError as e:
280280
return e.read()

0 commit comments

Comments
 (0)