alpha-phi-omega-ez · RafaelCenzano · Oct 31, 2025 · Oct 31, 2025 · Oct 31, 2025 · Oct 31, 2025
diff --git a/.github/workflows/docker-deploy.yml b/.github/workflows/docker-deploy.yml
@@ -22,18 +22,18 @@ jobs:
       id-token: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5
       # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
       - name: Log in to the Container registry
-        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef #v3.6.2
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels.
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f #v5.8.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
@@ -44,7 +44,7 @@ jobs:
       # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
       - name: Build and push Docker image
         id: push
-        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
         with:
           context: .
           push: true
@@ -53,7 +53,7 @@ jobs:
 
       # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)."
       - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd
+        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a #v3.0.0
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
           subject-digest: ${{ steps.push.outputs.digest }}

diff --git a/.github/workflows/docker-test.yml b/.github/workflows/docker-test.yml
@@ -16,7 +16,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5
 
       - name: "Build Docker Image"
         run: |

diff --git a/.github/workflows/pytest.yml b/.github/workflows/pytest.yml
@@ -0,0 +1,32 @@
+name: pytest
+
+on:
+  pull_request:
+    paths:
+        - "**.py"
+        - "uv.lock"
+        - ".python-version"
+        - "pyproject.toml"
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5
+
+    - name: Install uv
+      uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 #v7.1.2
+      with:
+        version: "latest"
+
+    - name: Set up Python
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c #v6
+      with:
+        python-version: "3.13.3"
+
+    - name: Install dependencies
+      run: uv sync --frozen --no-cache
+
+    - name: Run pytest
+      run: uv run pytest
diff --git a/.github/workflows/ruff.yml b/.github/workflows/ruff.yml
@@ -9,5 +9,5 @@ jobs:
   ruff:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: astral-sh/ruff-action@0c50076f12c38c3d0115b7b519b54a91cb9cf0ad
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5
+      - uses: astral-sh/ruff-action@57714a7c8a2e59f32539362ba31877a1957dded1 #v3.5.1
diff --git a/pyproject.toml b/pyproject.toml
@@ -8,12 +8,14 @@ dependencies = [
     "aiocache>=0.12.3",
     "fastapi-sso>=0.17.0",
     "fastapi[standard]>=0.115.6",
+    "bleach>=6.1.0",
     "pydantic-settings>=2.7.1",
     "pyjwt>=2.10.1",
     "pymongo>=4.13.2",
     "ruff>=0.9.2",
     "sentry-sdk[fastapi]>=2.20.0",
     "valkey-glide>=2.0.1",
+    "pytest>=8.3.3",
 ]
 
 [tool.ruff]
@@ -28,3 +30,7 @@ quote-style = "double"
 indent-style = "space"
 line-ending = "lf"
 
+[tool.pytest.ini_options]
+pythonpath = ["."]
+testpaths = ["tests"]
+
diff --git a/server/database/laf.py b/server/database/laf.py
@@ -13,6 +13,7 @@
     datetime_time_delta,
     get_next_sequence_value,
 )
+from server.helpers.sanitize import reject_mongo_operators
 from server.models.laf import ArchivedLAFItem, ExpiredItem, LAFItem, LostReportItem
 
 sequence_id_collection = database.get_collection("sequence_id")
@@ -109,6 +110,7 @@ async def lost_report_helper(lost_report: dict) -> LostReportItem:
 
 # Add a new laf item into to the database
 async def add_laf(laf_data: dict) -> LAFItem:
+    reject_mongo_operators(laf_data)
     type_id = await get_type_id(laf_data["type"])
     del laf_data["type"]
 
@@ -149,6 +151,7 @@ async def update_laf(laf_id: int, laf_data: dict, now: datetime) -> bool:
         del laf_data["type"]
         laf_data["type_id"] = type_id
 
+    reject_mongo_operators(laf_data)
     updated_laf_item = await laf_items_collection.update_one(
         {"_id": laf_id}, {"$set": laf_data}
     )
@@ -397,6 +400,7 @@ async def retrieve_expired_laf(
 
 # Add a new lost report into to the database
 async def add_lost_report(lost_report_data: dict, auth: bool) -> LostReportItem:
+    reject_mongo_operators(lost_report_data)
     type_id = await get_type_id(lost_report_data["type"])
     del lost_report_data["type"]
     now = datetime.now()
@@ -437,6 +441,7 @@ async def update_lost_report(
         del lost_report_data["type"]
         lost_report_data["type_id"] = type_id
 
+    reject_mongo_operators(lost_report_data)
     updated_lost_report = await lost_reports_collection.update_one(
         {"_id": lost_report_id_bson}, {"$set": lost_report_data}
     )

diff --git a/server/database/loanertech.py b/server/database/loanertech.py
@@ -2,6 +2,7 @@
 
 from server.database import database
 from server.helpers.db import get_next_sequence_value
+from server.helpers.sanitize import reject_mongo_operators
 from server.models.loanertech import LoanerTechItem, LoanerTechItemUnauthorized
 
 sequence_id_collection = database.get_collection("sequence_id")
@@ -47,6 +48,7 @@ async def retrieve_loanertechs() -> list[LoanerTechItem]:
 
 # Add a new loanertech item into to the database
 async def add_loanertech(loanertech_data: dict) -> LoanerTechItem:
+    reject_mongo_operators(loanertech_data)
     # Add the ID to the loanertech data
     loanertech_data["_id"] = await get_next_sequence_value(
         "loanertech_id", sequence_id_collection
@@ -81,6 +83,7 @@ async def update_loanertech(id: int, data: dict) -> bool:
     # Return false if an empty request body is sent.
     if len(data) < 1:
         return False
+    reject_mongo_operators(data)
     loanertech = await loanertech_collection.find_one({"_id": id})
     if loanertech:
         updated_loanertech = await loanertech_collection.update_one(

diff --git a/server/helpers/sanitize.py b/server/helpers/sanitize.py
@@ -0,0 +1,56 @@
+from __future__ import annotations
+
+import re
+from typing import Any
+
+import bleach
+
+_OBJECT_ID_RE = re.compile(r"^[a-fA-F0-9]{24}$")
+
+
+def strip_tags(text: str) -> str:
+    if text is None:
+        return ""
-def strip_tags(text: str) -> str:
-    if text is None:
-        return ""
+def strip_tags(text: str | None) -> str:
+    if text is None:
+        raise TypeError("strip_tags() expected a string, got None")
-def strip_tags(text: str) -> str:
-    if text is None:
-        return ""
+def strip_tags(text: str | None) -> str:
+    if text is None:
+        raise TypeError("strip_tags() expected a string, got None")
+    # First, remove script and style tags with their content using regex
+    # This handles cases where bleach might leave script content
+    text = re.sub(
+        r"<script[^>]*>.*?</script>", "", text, flags=re.IGNORECASE | re.DOTALL
+    )
+    text = re.sub(r"<style[^>]*>.*?</style>", "", text, flags=re.IGNORECASE | re.DOTALL)
+    # Remove all remaining HTML tags using bleach
+    return bleach.clean(text, tags=[], attributes={}, strip=True)
+
+
+def normalize_ws(text: str) -> str:
+    # Collapse whitespace and trim
+    return re.sub(r"\s+", " ", text or "").strip()
+
+
+def sanitize_text(text: str, max_len: int | None = None) -> str:
+    cleaned = normalize_ws(strip_tags(str(text)))
+    if max_len is not None and len(cleaned) > max_len:
+        cleaned = cleaned[:max_len]
+    return cleaned
+
+
+def is_valid_object_id(value: str) -> bool:
+    if not isinstance(value, str):
+        return False
+    return bool(_OBJECT_ID_RE.fullmatch(value))
+
+
+def _reject_key(key: Any) -> None:
+    if isinstance(key, str) and (key.startswith("$") or "." in key):
+        raise ValueError("MongoDB operator or dotted keys are not allowed in input")
+
+
+def reject_mongo_operators(obj: Any) -> Any:
+    # Recursively validate that no keys start with '$' or contain '.'
+    if isinstance(obj, dict):
+        for k, v in obj.items():
+            _reject_key(k)
+            reject_mongo_operators(v)
+    elif isinstance(obj, list):
+        for item in obj:
+            reject_mongo_operators(item)
+    return obj
diff --git a/server/models/__init__.py b/server/models/__init__.py
@@ -1,20 +0,0 @@
-from typing import Any
-
-from pydantic import BaseModel
-
-
-class ResponseModel(BaseModel):
-    data: Any
-    message: str
-
-
-class BoolResponse(ResponseModel):
-    data: bool
-
-
-class StringListResponse(ResponseModel):
-    data: list[str]
-
-
-class IntResponse(ResponseModel):
-    data: int

diff --git a/server/models/auth.py b/server/models/auth.py
@@ -1,12 +1,26 @@
-from pydantic import BaseModel, Field
+from uuid import UUID
+
+from pydantic import BaseModel, Field, field_validator
 
 
 class TokenRequest(BaseModel):
     code: str = Field(...)
 
+    @field_validator("code", mode="before")
+    @classmethod
+    def v_code(cls, v: str) -> str:
+        # Strip whitespace
+        v = v.strip() if isinstance(v, str) else str(v)
+        try:
+            # Validate it's a valid UUID v4
+            uuid_obj = UUID(v, version=4)
-            uuid_obj = UUID(v, version=4)
+            uuid_obj = UUID(v)
+            if uuid_obj.version != 4:
+                raise ValueError("code must be a valid UUID v4")
-            uuid_obj = UUID(v, version=4)
+            uuid_obj = UUID(v)
+            if uuid_obj.version != 4:
+                raise ValueError("code must be a valid UUID v4")
+            return str(uuid_obj)
+        except (ValueError, AttributeError):
+            raise ValueError("code must be a valid UUID v4")
+
     class Config:
         json_schema_extra = {
             "example": {
-                "code": "adsa-sda-dsa-ds-d-asd",
+                "code": "550e8400-e29b-41d4-a716-446655440000",
             }
         }
diff --git a/server/models/backtest.py b/server/models/backtest.py
@@ -1,6 +1,20 @@
-from typing import TypedDict
+from typing import Annotated, TypedDict
 
-from server.models import ResponseModel
+from pydantic import BeforeValidator
+
+from server.models.common import ResponseModel, validate_object_id
+
+
+def validate_course_code(v: str) -> str:
+    """Validate that a string is a valid course code (exactly 4 uppercase letters)."""
+    v = v.strip() if isinstance(v, str) else str(v)
+    if not (len(v) == 4 and v.isalpha() and v.isupper()):
+        raise ValueError("must be exactly 4 uppercase letters (A-Z)")
+    return v
+
+
+ObjectId = Annotated[str, BeforeValidator(validate_object_id)]
+CourseCode = Annotated[str, BeforeValidator(validate_course_code)]
 
 
 class Course(TypedDict):

diff --git a/server/models/common.py b/server/models/common.py
@@ -0,0 +1,45 @@
+from typing import Annotated, Any
+
+from pydantic import BaseModel, BeforeValidator
+
+from server.helpers.sanitize import is_valid_object_id, sanitize_text
+
+
+def validate_name(v: str | None) -> str:
-def validate_name(v: str | None) -> str:
+def validate_name(v: str) -> str:
-def validate_name(v: str | None) -> str:
+def validate_name(v: str) -> str:
+    """Validate and sanitize name filter (max 100 characters)."""
+    return sanitize_text(v, max_len=100)
+
+
+def validate_object_id(v: str) -> str:
+    """Validate that a string is a valid MongoDB ObjectId (24 hex characters)."""
+    if not is_valid_object_id(v):
+        raise ValueError("must be a valid ObjectId (24 hexadecimal characters)")
+    return v
+
+
+def validate_name_filter(v: str | None) -> str | None:
+    """Validate optional name filter."""
+    if v is None:
+        return None
+    return validate_name(v)
+
+
+NameFilter = Annotated[str, BeforeValidator(validate_name_filter)]
+Name = Annotated[str, BeforeValidator(validate_name)]
+
+
+class ResponseModel(BaseModel):
+    data: Any
+    message: str
+
+
+class BoolResponse(ResponseModel):
+    data: bool
+
+
+class StringListResponse(ResponseModel):
+    data: list[str]
+
+
+class IntResponse(ResponseModel):
+    data: int