Added wildcard signal handling while counting multiples in get_multiples_count() + in check_signals_allowlist().

dmytrotsko · dmytrotsko · commit b21141aec70d · 2023-07-11T23:04:22.000+03:00
Changed request_signals from list to set in order to use `issubset()` function
diff --git a/src/server/_limiter.py b/src/server/_limiter.py
@@ -8,7 +8,15 @@
 from ._config import RATE_LIMIT, RATELIMIT_STORAGE_URL, REDIS_HOST, REDIS_PASSWORD
 from ._exceptions import ValidationFailedException
 from ._params import extract_dates, extract_integers, extract_strings, parse_source_signal_sets
-from ._security import _is_public_route, current_user, require_api_key, show_no_api_key_warning, resolve_auth_token, ERROR_MSG_RATE_LIMIT, ERROR_MSG_MULTIPLES
+from ._security import (
+    _is_public_route,
+    current_user,
+    require_api_key,
+    show_no_api_key_warning,
+    resolve_auth_token,
+    ERROR_MSG_RATE_LIMIT,
+    ERROR_MSG_MULTIPLES,
+)
 
 
 def deduct_on_success(response: Response) -> bool:
@@ -52,8 +60,9 @@ def get_multiples_count(request):
     if "window" in request.args.keys():
         multiple_selection_allowed -= 1
     for k, v in request.args.items():
-        if v == "*":
+        if "*" in v:
             multiple_selection_allowed -= 1
+            continue
         try:
             vals = multiples.get(k)(k)
             if len(vals) >= 2:
@@ -70,17 +79,23 @@ def get_multiples_count(request):
 
 def check_signals_allowlist(request):
     signals_allowlist = {":".join(ss_pair) for ss_pair in DashboardSignals().srcsig_list()}
-    request_signals = []
-    request_args = request.args.keys()
-    if "signal" in request_args or "signals" in request_args:
+    request_signals = set()
+    try:
         source_signal_sets = parse_source_signal_sets()
         for source_signal in source_signal_sets:
-            if isinstance(source_signal.signal, list):
-                for signal in source_signal.signal:
-                    request_signals.append(f"{source_signal.source}:{signal}")
+            # source_signal.signal is expected to be eiter list or bool:
+            # in case of bool, we have wildcard signal -> return False as there are no chances that
+            # all signals from given source will be whitelisted
+            # in case of list, we have list of signals
+            if isinstance(source_signal.signal, bool):
+                return False
+            for signal in source_signal.signal:
+                request_signals.add(f"{source_signal.source}:{signal}")
+    except ValidationFailedException:
+        return False
     if len(request_signals) == 0:
         return False
-    return all([signal in signals_allowlist for signal in request_signals])
+    return set(request_signals).issubset(signals_allowlist)
 
 
 def _resolve_tracking_key() -> str:
