Validating and Sanitizing user inputs on python projects REST api

Validation

User input data validation is one of the most important things while developing a project. It not only keeps the data clean but also helps with somewhat malicious data being sent with requests using intercept tools like burp suite.

One of python package which helps in validating Api request is Schema

from schema import Schema, And, Use, Optional

schema = Schema([{'name': And(str, len),
                  'age':  And(Use(int), lambda n: 18 <= n <= 99),
                   Optional('gender'): And(str, Use(str.lower),
                                           lambda s: s in ('Male', 'Female'))}])

data = [{'name': 'Pritesh', 'age': '29', 'gender': 'Male'},
        {'name': 'Alisha', 'age': '26', 'gender': 'Female'},
        {'name': 'Atul', 'age': '28'}]

validated = schema.validate(data)

If validation fails It raises SchemaError else it would return filtered payload based on schema validation.

There are many features of Schema we can use, few of them are -

• Optional keys can also carry a default, to be used when no key in the data matches: eg:

Schema({Optional('best_songs', default='blues'): str, 'best_movie': str}).validate({'best_movie': 'shawshank redemption'})

• In a dictionary, you can combine two keys in a “one or the other” manner. To do so, use the Or class as a key

Schema({  Or("key1", "key2", only_one=True): str })

• The Schema(...) parameter ignore_extra_keys causes validation to ignore extra keys in a dictionary, and also to not return them after validating.

Schema({'movie': str}, ignore_extra_keys=True)
print(schema.validate({'movie': 'tenet', 'review': '4'}))
{'movie': 'tenet'}

• You can pass a keyword argument error to any of validatable classes (such as Schema, And, Or, Regex, Use) to report the error instead of a built-in one.

Schema(Use(int, error='Invalid year')).validate('2020')

Sanitization

Once user inputs are validated, data needs to be sanitized with an HTML sanitizing library that escapes or strips markup and attributes. Bleach
Adding sanitization helps in eliminating XSS attacks on application.

import bleach
bleach.clean('an <script>evil()</script> example')
u'an &lt;script&gt;evil()&lt;/script&gt; example'

Comments

[Esther White]

Very nice article, thank you 👍

[biswajit-k]

Concise and informative Article. Thanks a lot!