Ensure CKAN URL parameters are properly sanitized

[adborden]

User Story

In order to ensure CKAN follows best security practices regarding sanitizing inputs, data.gov wants to audit URL parameters in CKAN in order to ensure all URL inputs are properly sanitized before processing.

Acceptance Criteria

[ACs should be clearly demoable/verifiable whenever possible. Try specifying them using BDD.]

• [ ] WHEN I inspect the CKAN tests THEN I see scenarios testing URL parameter sanitization

Background

https://github.com/GSA/datagov-deploy/issues/3245 https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html (and OWASP in general)

Security Considerations (required)

[Any security concerns that might be implicated in the change. "None" is OK, just be explicit here!]

Sketch

• [ ] Review OWASP best practices
• [ ] the sort parameter for dataset search was explicitly identified. Add an explicit test case for (https://github.com/GSA/datagov-deploy/issues/3245)
• [ ] Review other URL parameters in all controllers and ensure proper tests exist

[mogul]

We'll revisit this after we're fully on CKAN 2.9/Py3.