search

Clinical-Genomics / genotype

Simple genotype comparison of VCF files
http://taboo.readthedocs.org/en/latest/
MIT License
8 stars 2 forks source link

Added a check for user-defined sample_id before logging it. #64

Closed ChrOertlin closed 1 year ago

ChrOertlin commented 1 year ago

This PR adds/fixes ...

This PR aims to fix a possible injection vulnerability identified by sonarcloud. The user-provided sample id is logged without checks.

removed logging of sample_id

How to prepare for test:

-[ ] ssh to Hasta install on stage of Hasta: -[ ] bash /home/proj/production/servers/resources/hasta.scilifelab.se/update-tool-stage.sh -e S_genotype -t genotype -b update_security How to test:

Login to the stage environment.

Make sure the pipeline runs without issues.

cg upload genotypes

Review:

Tests executed by CO "Merge and deploy" approved by Thanks for filling in who performed the code review and the test! This version is a:

MAJOR - when you make incompatible API changes MINOR - when you add functionality in a backwards compatible manner PATCH - when you make backwards compatible bug fixes or documentation/instructions Implementation plan:

Deploy to prod when tested

sonarcloud[bot] commented 1 year ago

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

ChrOertlin commented 1 year ago

@moedarrah and I went over the frontend endpoints. It turned out that the function in question (sample) is not called at all by the front end.

The sample function was created by Peter Andeer 7 years ago. Another function (samples) created by Måns 2 years ago seems to be called now for both plate_id and sample_id parses.

The sample function is called in other scripts match_cmd.py, store_cmb.py and view.py.

Is there a specific purpose of logging that an ID was not found? The ID refers to ACCxxxxxxAx ids (i.e. internal sample ids)

ChrOertlin commented 1 year ago

cg upload genotypes simplemonkey /home/proj/stage/bin/miniconda3/envs/S_main/lib/python3.7/site-packages/sqlalchemy/orm/relationships.py:2231: SAWarning: Cascade settings "delete, merge, save-update" should not be combined with a viewonly=True relationship. This configuration will raise an error in version 1.4. Note that in versions prior to 1.4, these cascade settings may still produce a mutating effect even though this relationship is marked as viewonly=True. "viewonly=True." % (", ".join(sorted(non_viewonly))) Called undefined fields on HousekeeperAPI, please wrap Called undefined fields on HousekeeperAPI, please wrap Called undefined fields on HousekeeperAPI, please wrap Called undefined fields on HousekeeperAPI, please wrap Called undefined fields on HousekeeperAPI, please wrap Called undefined fields on HousekeeperAPI, please wrap Called undefined fields on HousekeeperAPI, please wrap Called undefined fields on HousekeeperAPI, please wrap Called undefined fields on HousekeeperAPI, please wrap Called undefined fields on HousekeeperAPI, please wrap ----------------- UPLOAD ----------------- ----------------- GENOTYPES ------------------- /home/proj/stage/bin/miniconda3/envs/S_main/lib/python3.7/site-packages/sqlalchemy/orm/relationships.py:1998: SAWarning: Setting backref / back_populates on relationship Demux.samples to refer to viewonly relationship Sample.demuxes should include sync_backref=False set on the Demux.samples relationship. (this warning may be suppressed after 10 occurrences) (rel_b, rel_a, rel_b), /home/proj/stage/bin/miniconda3/envs/S_main/lib/python3.7/site-packages/sqlalchemy/orm/relationships.py:1998: SAWarning: Setting backref / back_populates on relationship Sample.demuxes to refer to viewonly relationship Demux.samples should include sync_backref=False set on the Sample.demuxes relationship. (this warning may be suppressed after 10 occurrences) (rel_b, rel_a, rel_b), Initializing UploadGenotypesAPI Fetching upload genotype data for simplemonkey Fetch latest version from bundle simplemonkey Fetching files with tags in [genotype] Fetching files from version 106105 Fetching files with tags in [qc-metrics,deliverable] Fetching files from version 106105 loading VCF genotypes for sample(s): ACC10281A11 Running command /home/proj/stage/bin/miniconda3/envs/S_genotype/bin/genotype --config /home/proj/stage/servers/config/hasta.scilifelab.se/genotype-stage.yaml load /home/proj/stage/housekeeper-bundles/simplemonkey/2022-08-12/simplemonkey_gatkcomb.bcf Running command /home/proj/stage/bin/miniconda3/envs/S_genotype/bin/genotype --config /home/proj/stage/servers/config/hasta.scilifelab.se/genotype-stage.yaml add-sex ACC10281A11 -s female Running command /home/proj/stage/bin/miniconda3/envs/S_genotype/bin/genotype --config /home/proj/stage/servers/config/hasta.scilifelab.se/genotype-stage.yaml add-sex ACC10281A11 -a sequence female