add a helper to project admin include for ultranormalization collisions #17124

ewdurbin · 2024-11-19T22:00:26Z

resolves #17113

Example:

resolves #17113

warehouse/admin/views/includes.py

+    return {
+        "project": project,
+        "project_name": project_name,
+        "prohibited": prohibited,
+        "collisions": [p.name for p in collisions],
+    }


To fix the problem, we need to escape the project_name before including it in the returned dictionary. This can be done using the html.escape() function from the html module in Python, which is designed to escape special characters in strings to prevent XSS attacks.

We will import the html module and use the html.escape() function to sanitize the project_name before it is included in the returned dictionary.

miketheman

Nice stuff! I have sone suggestion for optimizing the query - it's not going to be materially impactful due to the low usage/latency of this view, but I'd be remiss if I didn't note it.

miketheman · 2024-11-19T22:16:18Z

warehouse/admin/views/includes.py

+    collisions = (
+        request.db.query(Project)
+        .filter(
+            func.ultranormalize_name(Project.name)
+            == func.ultranormalize_name(project_name)
+        )
+        .filter(
+            func.normalize_pep426_name(Project.name)
+            != func.normalize_pep426_name(project_name)
+        )
+        .all()
+    )

-    return {"project": project, "project_name": project_name, "prohibited": prohibited}
+    return {
+        "project": project,
+        "project_name": project_name,
+        "prohibited": prohibited,
+        "collisions": [p.name for p in collisions],
+    }


Optimize: Since we're not using any part of the results other than the colliding name we can optimize and only return the name part from the DB, saving data load/roundtrip, serialization work, etc.
This is more aligned with modern SQLAlchemy syntax, where we construct a statement and pass it to the session.

Needs an update to import select as well

collisions = request.db.scalars( select(Project.name) .filter( func.ultranormalize_name(Project.name) == func.ultranormalize_name(project_name) ) .filter( func.normalize_pep426_name(Project.name) != func.normalize_pep426_name(project_name) ) ).all()

And then no need to listcomp "collisions" later, since it'll be constructed as a list of strings.

add a helper to project admin include for ultranormalization collisions

356ff3d

resolves #17113

ewdurbin requested a review from a team as a code owner November 19, 2024 22:00

github-advanced-security bot found potential problems Nov 19, 2024

View reviewed changes

miketheman approved these changes Nov 19, 2024

View reviewed changes

miketheman added the admin Features needed for the Admin UI (people running the site) label Nov 19, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

add a helper to project admin include for ultranormalization collisions #17124

add a helper to project admin include for ultranormalization collisions #17124

ewdurbin commented Nov 19, 2024

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

miketheman left a comment

miketheman Nov 19, 2024

add a helper to project admin include for ultranormalization collisions #17124

Are you sure you want to change the base?

add a helper to project admin include for ultranormalization collisions #17124

Conversation

ewdurbin commented Nov 19, 2024

miketheman left a comment

Choose a reason for hiding this comment

miketheman Nov 19, 2024

Choose a reason for hiding this comment