From 9457d423aa2ccfeb2e35c2b16700ac1a90b3007c Mon Sep 17 00:00:00 2001
From: Edward Betts <edward@4angle.com>
Date: Wed, 16 Jun 2021 14:31:58 +0200
Subject: [PATCH] Validate input to missing items API

---
 web_view.py | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/web_view.py b/web_view.py
index 1492968..980e37f 100755
--- a/web_view.py
+++ b/web_view.py
@@ -23,6 +23,8 @@ DB_URL = "postgresql:///matcher"
 database.init_db(DB_URL)
 entity_keys = {"labels", "sitelinks", "aliases", "claims", "descriptions", "lastrevid"}
 
+re_qid = re.compile(r'^Q\d+$')
+
 property_map = [
     ("P238", ["iata"], "IATA airport code"),
     ("P239", ["icao"], "ICAO airport code"),
@@ -998,8 +1000,20 @@ def api_find_osm_candidates(item_id):
 @app.route("/api/1/missing")
 def api_missing_wikidata_items():
     qids_arg = request.args.get("qids")
-    qids = qids_arg.split(",")
-    if not qids or not qids[0]:
+    if not qids_arg:
+        return jsonify(success=False,
+                       error="required parameter 'qids' is missing",
+                       items=[],
+                       isa_count=[])
+
+    qids = []
+    for qid in qids_arg.upper().split(","):
+        qid = qid.strip()
+        m = re_qid.match(qid)
+        if not m:
+            continue
+        qids.append(qid)
+    if not qids:
         return jsonify(success=True, items=[], isa_count=[])
 
     lat, lon = request.args.get("lat"), request.args.get("lon")