DEV Community

Kanthaliya
Kanthaliya

Posted on

Validating and Sanitizing user inputs on python projects REST api

#python #security #rest #validation

Validation

User input data validation is one of the most important things while developing a project. It not only keeps the data clean but also helps with somewhat malicious data being sent with requests using intercept tools like burp suite.

One of python package which helps in validating Api request is Schema

from schema import Schema, And, Use, Optional

schema = Schema([{'name': And(str, len),
                  'age':  And(Use(int), lambda n: 18 <= n <= 99),
                   Optional('gender'): And(str, Use(str.lower),
                                           lambda s: s in ('Male', 'Female'))}])

data = [{'name': 'Pritesh', 'age': '29', 'gender': 'Male'},
        {'name': 'Alisha', 'age': '26', 'gender': 'Female'},
        {'name': 'Atul', 'age': '28'}]

validated = schema.validate(data)
Enter fullscreen mode Exit fullscreen mode

If validation fails It raises SchemaError else it would return filtered payload based on schema validation.

There are many features of Schema we can use, few of them are -

  • Optional keys can also carry a default, to be used when no key in the data matches: eg: 
Schema({Optional('best_songs', default='blues'): str, 'best_movie': str}).validate({'best_movie': 'shawshank redemption'})
Enter fullscreen mode Exit fullscreen mode
  • In a dictionary, you can combine two keys in a “one or the other” manner. To do so, use the Or class as a key 
Schema({  Or("key1", "key2", only_one=True): str })
Enter fullscreen mode Exit fullscreen mode
  • The Schema(...) parameter ignore_extra_keys causes validation to ignore extra keys in a dictionary, and also to not return them after validating. 
Schema({'movie': str}, ignore_extra_keys=True)
print(schema.validate({'movie': 'tenet', 'review': '4'}))
{'movie': 'tenet'}
Enter fullscreen mode Exit fullscreen mode
  • You can pass a keyword argument error to any of validatable classes (such as Schema, And, Or, Regex, Use) to report the error instead of a built-in one. 
Schema(Use(int, error='Invalid year')).validate('2020')
Enter fullscreen mode Exit fullscreen mode

Sanitization

Once user inputs are validated, data needs to be sanitized with an HTML sanitizing library that escapes or strips markup and attributes. Bleach
Adding sanitization helps in eliminating XSS attacks on application.

import bleach
bleach.clean('an <script>evil()</script> example')
u'an &lt;script&gt;evil()&lt;/script&gt; example'
Enter fullscreen mode Exit fullscreen mode

Top comments (2)

Collapse
 
monacodelisa profile image
Esther White

Very nice article, thank you 👍

Collapse
 
biswajitk profile image
biswajit-k

Concise and informative Article. Thanks a lot!

Read next

viradiaharsh profile image

Introducing the AWS CDK L2 Construct: Simplified Security for Amazon CloudFront with Origin Access Control (OAC)

Harsh Viradia -

bcristianc profile image

Simulando AWS KMS con LocalStack y Node.js: Una Guía para Desarrolladores

Cristian Cazares -

balagmadhu profile image

Securing Plain Text using SHA hashing: SHA-256 Sorcery

Bala Madhusoodhanan -

shadow_b profile image

Exploring Async Deepgram API: Speech-to-Text using Python

shadowb -