Merge pull request #115 from AltSchool/fix/protectfilters

benbardin · benbardin · commit fdf345e0f63b · 2016-06-06T12:04:31.000-04:00
protect against weird and broken query params, e.g. "?" where they sh…
diff --git a/dynamic_rest/filters.py b/dynamic_rest/filters.py
@@ -527,6 +527,11 @@ def _filter_queryset(
                 raise ValidationError(
                     dict(e) if hasattr(e, 'error_dict') else list(e)
                 )
+            except Exception as e:
+                # Some other Django error in parsing the filter. Very likely
+                # a bad query, so throw a ValidationError.
+                err_msg = getattr(e, 'message', '')
+                raise ValidationError(err_msg)
 
         # A serializer can have this optional function
         # to dynamically apply additional filters on
diff --git a/tests/test_api.py b/tests/test_api.py
@@ -1491,3 +1491,15 @@ def test_immutable_field(self):
         # ... and it should not have changed:
         self.assertEqual(data['cat']['parent'], parent_id)
         self.assertEqual(data['cat']['name'], kitten_name)
+
+
+class TestFilters(APITestCase):
+
+    """
+    Tests for filters.
+    """
+
+    def testUnparseableInt(self):
+        url = '/users/?filter{pk}=123x'
+        response = self.client.get(url)
+        self.assertEqual(400, response.status_code)
