Skip to content

Fix: make /import/batch/approve work #11237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 5, 2025
Merged

Fix: make /import/batch/approve work #11237

merged 2 commits into from
Sep 5, 2025

Conversation

scottbarnes
Copy link
Collaborator

Closes #11227

This commit ensures the batch_id value passed into the query is the same as the value of batch_id as it is passed in from the endpoint.

Previously, this value was always 1. E.g., visiting /import/batch/approve/3 would show:

batch_id = '3'
0.0 (1):
            UPDATE import_item
            SET status = 'pending'
            WHERE batch_id = 1 AND status = 'needs_review';

Technical

This change in this commit was tested for SQL injection by setting batch_id to '3 OR true':

psycopg2.errors.InvalidTextRepresentation: invalid input syntax for integer: "3 OR true"
LINE 4:             WHERE batch_id = '3 OR true' AND status = 'needs...
                                     ^

It is not immediately obvious to me that is a sufficient test, and I am unsure if these queries are being parameterized if created this way.

Testing

Create a new import batch as a non-privileged user. Visit /import/batch/<batch_id> and click on Approve. The batch status should change to pending.

Screenshot

Stakeholders

@mekarpeles, @liz907.

@scottbarnes
Fix: make /import/batch/approve work
7188240 
Closes internetarchive#11227

This commit ensures the `batch_id` value passed into the query is the
same as the value of `batch_id` as it is passed in from the endpoint.

Previously, this value was always `1`. E.g., visiting
`/import/batch/approve/3` would show:
```
batch_id = '3'
0.0 (1):
            UPDATE import_item
            SET status = 'pending'
            WHERE batch_id = 1 AND status = 'needs_review';
```

This change in this commit was tested for SQL injection by setting `batch_id` to '3 OR true':
```
psycopg2.errors.InvalidTextRepresentation: invalid input syntax for integer: "3 OR true"
LINE 4:             WHERE batch_id = '3 OR true' AND status = 'needs...
                                     ^
```
@github-actions github-actions bot added the Priority: 2 Important, as time permits. [managed] label Sep 4, 2025
@mekarpeles mekarpeles merged commit 22614e5 into internetarchive:master Sep 5, 2025
4 checks passed
@mekarpeles
Copy link
Member

LGTM, @jimchamp might have thoughts about if there are additional sql precautions we might add

@scottbarnes scottbarnes deleted the wire-up-batch-approve-button branch September 6, 2025 05:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Priority: 2 Important, as time permits. [managed]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Allow UI approval of import batches

2 participants

@scottbarnes @mekarpeles