Merge pull request #90 from internetarchive/fix-semgrep

Fix more misc semgrep issues
internetarchive · Nov 26, 2024 · 7143167 · 7143167
2 parents e65bfd1 + 5814f20
commit 7143167
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 26 deletions.
diff --git a/iiify/app.py b/iiify/app.py
@@ -28,27 +28,9 @@
 
 # cache.init_app(app)
 
-def sprite_concat(imgs):
-    from PIL import Image
-    images = list(map(Image.open, imgs))
-    widths, heights = zip(*[i.size for i in images])
-
-    total_width = sum(widths)
-    max_height = max(heights)
-
-    new_im = Image.new('RGB', (total_width, max_height))
-
-    x_offset = 0
-    for im in images:
-        new_im.paste(im, (x_offset, 0))
-        x_offset += im.size[0]
-    return new_im
-
 
 def cache_bust():
-    if request.args.get("recache", "") in ["True", "true", "1"]:
-        return True
-    return False
+    return request.args.get("recache", "") in ["True", "true", "1"]
 
 @app.route('/')
 def mainentry():
@@ -99,8 +81,7 @@ def documentation():
 
 @app.route('/iiif/helper/<identifier>/')
 def helper(identifier):
-    if not re.match(r'^[a-zA-Z0-9_.-]{1,100}$', identifier):
-        abort(400, "Invalid identifier")
+    validate_ia_identifier(identifier)
 
     metadata = requests.get('%s/metadata/%s' % (ARCHIVE, identifier)).json()
 
@@ -130,6 +111,8 @@ def helper(identifier):
 
 @app.route('/iiif/<identifier>')
 def view(identifier):
+    validate_ia_identifier(identifier)
+
     domain = purify_domain(request.args.get('domain', request.url_root))
     uri = '%s%s' % (domain, identifier)
     page = request.args.get('page', None)
@@ -148,6 +131,7 @@ def view(identifier):
 @app.route('/iiif/3/<identifier>/collection.json')
 @cache.cached(timeout=cache_timeouts["med"], forced_update=cache_bust)
 def collection3JSON(identifier):
+    validate_ia_identifier(identifier)
     domain = purify_domain(request.args.get('domain', request.url_root))
 
     try:
@@ -165,6 +149,7 @@ def collection3JSON(identifier):
 @app.route('/iiif/3/<identifier>/<page>/collection.json')
 @cache.cached(timeout=cache_timeouts["med"], forced_update=cache_bust)
 def collection3page(identifier, page):
+    validate_ia_identifier(identifier)
     domain = purify_domain(request.args.get('domain', request.url_root))
 
     try:
@@ -183,18 +168,22 @@ def collection3page(identifier, page):
 @app.route('/iiif/<identifier>/collection.json')
 @cache.cached(timeout=cache_timeouts["long"], forced_update=cache_bust)
 def collectionJSON(identifier):
+    validate_ia_identifier(identifier)
     return redirect(f'/iiif/3/{identifier}/collection.json', code=302)
 
 
 @app.route('/iiif/<identifier>/<page>/collection.json')
 @cache.cached(timeout=cache_timeouts["long"], forced_update=cache_bust)
 def collectionPage(identifier, page):
+    validate_ia_identifier(identifier)
     return redirect(f'/iiif/3/{identifier}/{page}/collection.json', code=302)
 
 
 @app.route('/iiif/3/<identifier>/manifest.json')
 @cache.cached(timeout=cache_timeouts["long"], forced_update=cache_bust)
 def manifest3(identifier):
+    validate_ia_identifier(identifier)
+
     domain = purify_domain(request.args.get('domain', request.url_root))
     page = None
 
@@ -209,26 +198,30 @@ def manifest3(identifier):
         raise excpt
         # abort(404)
 
-@app.route('/iiif/<version>/annotations/<identifier>/<fileName>/<canvas_no>.json')
+@app.route('/iiif/<int:version>/annotations/<identifier>/<fileName>/<int:canvas_no>.json')
 @cache.cached(timeout=cache_timeouts["long"], forced_update=cache_bust)
-def annnotations(version, identifier, fileName, canvas_no):
+def annnotations(version: str, identifier: str, fileName: str, canvas_no: int):
+    validate_ia_identifier(identifier)
     domain = purify_domain(request.args.get('domain', request.url_root))
     return ldjsonify(create_annotations(version, identifier, fileName, canvas_no, domain=domain))
 
 @app.route('/iiif/vtt/streaming/<identifier>.vtt')
 @cache.cached(timeout=cache_timeouts["long"], forced_update=cache_bust)
 def vtt_stream(identifier):
+    validate_ia_identifier(identifier)
     response = make_response(create_vtt_stream(identifier))
     response.headers['Content-Type'] = 'text/vtt'
     return response
 
 @app.route('/iiif/<identifier>/manifest.json')
 @cache.cached(timeout=cache_timeouts["long"], forced_update=cache_bust)
 def manifest(identifier):
+    validate_ia_identifier(identifier)
     return redirect(f'/iiif/3/{identifier}/manifest.json', code=302)
 
 @app.route('/iiif/2/<identifier>/manifest.json')
 def manifest2(identifier):
+    validate_ia_identifier(identifier)
     domain = purify_domain(request.args.get('domain', request.url_root))
     page = None
     if '$' in identifier:
@@ -244,24 +237,28 @@ def manifest2(identifier):
 
 @app.route('/iiif/<identifier>/info.json')
 def info(identifier):
+    validate_ia_identifier(identifier)
     cantaloupe_id = cantaloupe_resolver(identifier)
     cantaloupe_url = f"{image_server}/2/{cantaloupe_id}/info.json"
     return redirect(cantaloupe_url, code=302)
 
 @app.route('/iiif/3/<identifier>/info.json')
 def info3(identifier):
+    validate_ia_identifier(identifier)
     cantaloupe_id = cantaloupe_resolver(identifier)
     cantaloupe_url = f"{image_server}/3/{cantaloupe_id}/info.json"
     return redirect(cantaloupe_url, code=302)
 
 @app.route('/iiif/2/<identifier>/info.json')
 def info2(identifier):
+    validate_ia_identifier(identifier)
     cantaloupe_id = cantaloupe_resolver(identifier)
     cantaloupe_url = f"{image_server}/2/{cantaloupe_id}/info.json"
     return redirect(cantaloupe_url, code=302)
 
 @app.route('/iiif/<identifier>/<region>/<size>/<rotation>/<quality>.<fmt>')
 def image_processor(identifier, region, size, rotation, quality, fmt):
+    validate_ia_identifier(identifier)
     cantaloupe_id = cantaloupe_resolver(identifier)
     cantaloupe_url = f"{image_server}/2/{cantaloupe_id}/{region}/{size}/{rotation}/{quality}.{fmt}"
     return redirect(cantaloupe_url, code=302)
@@ -278,6 +275,9 @@ def ldjsonify(data):
     j.mimetype = "application/ld+json"
     return j
 
+def validate_ia_identifier(identifier: str) -> None:
+    if not re.match(r'^[a-zA-Z0-9_.-]{1,100}$', identifier):
+        abort(400, "Invalid identifier")
 
 if __name__ == '__main__':
     app.run(**options)
diff --git a/iiify/resolver.py b/iiify/resolver.py
@@ -844,10 +844,10 @@ def create_manifest3(identifier, domain=None, page=None):
 
     return json.loads(manifest.jsonld())
 
-def create_annotations(version, identifier, fileName, canvas_no, domain=None):
+def create_annotations(version: int, identifier: str, fileName: str, canvas_no: int, domain: str | None = None):
     annotationPage = AnnotationPage(id=f"{domain}{version}/annotations/{identifier}/{quote(fileName, safe='()')}/{canvas_no}.json")
     annotationPage.items = []
-    index = int(canvas_no) - 1
+    index = canvas_no - 1
     url = f"{ARCHIVE}/download/{identifier}/{fileName}"
     try:
         # Fetch the remote XML file

diff --git a/iiify/static/scripts/crosslink.js b/iiify/static/scripts/crosslink.js
@@ -16,7 +16,7 @@ $(document).ready(function() {
 		canvas,
 		manifest;
 		var url = 'https://pragma.archivelab.org';
-		if (link.indexOf(url) == 0) {
+		if (link == url || link.indexOf(url + '/') == 0) {
 		    console.log('just checking');
 		    event.preventDefault();
 		    event.stopImmediatePropagation;