Fix: Frame Injection (azul-private#12)

[dsotirho-ucsc]

Connected issues: DataBiosphere/azul-private#12

Checklist

Author

• PR is a draft
• Target branch is develop
• Name of PR branch matches issues/<GitHub handle of author>/<issue#>-<slug>
• PR title references all connected issues
• PR title matches¹ that of a connected issue _{or comment in PR explains why they're different}
• For each connected issue, there is at least one commit whose title references that issue
• PR is connected to all connected issues via ZenHub
• PR description links to connected issues
• Added partial label to PR _{or this PR completely resolves all connected issues}

¹ when the issue title describes a problem, the corresponding PR
title is Fix: followed by the issue title

Author (reindex, API changes)

• Added r tag to commit title _{or this PR does not require reindexing}
• Added reindex label to PR _{or this PR does not require reindexing}
• Added a (compatible changes) or A (incompatible ones) tag to commit title _{or this PR does not modify the Azul service API}
• Added API label to connected issues _{or this PR does not modify the Azul service API}

Author (chains)

• This PR is blocked by previous PR in the chain _{or this PR is not chained to another PR}
• Added base label to the blocking PR _{or this PR is not chained to another PR}
• Added chained label to this PR _{or this PR is not chained to another PR}

Author (upgrading)

• Documented upgrading of deployments in UPGRADING.rst _{or this PR does not require upgrading}
• Added u tag to commit title _{or this PR does not require upgrading}
• Added upgrade label to PR _{or this PR does not require upgrading}

Author (operator tasks)

• Added checklist items for additional operator tasks _{or this PR does not require additional tasks}

Author (hotfixes)

• Added F tag to main commit title _{or this PR does not include permanent fix for a temporary hotfix}
• Reverted the temporary hotfixes for any connected issues _{or the prod branch has no temporary hotfixes for any connected issues}

Author (before every review)

• Rebased PR branch on develop, squashed old fixups
• Ran make requirements_update _{or this PR does not touch requirements*.txt, common.mk, Makefile and Dockerfile}
• Added R tag to commit title _{or this PR does not touch requirements*.txt}
• Added reqs label to PR _{or this PR does not touch requirements*.txt}
• make integration_test passes in personal deployment _{or this PR does not touch functionality that could break the IT}

Peer reviewer (after requesting changes)

Uncheck the Author (before every review) checklists.

Peer reviewer (after approval)

• PR is not a draft
• Ticket is in Review requested column
• Requested review from primary reviewer
• Assigned PR to primary reviewer

Primary reviewer (after requesting changes)

Uncheck the before every review checklists. Update the N reviews label.

Primary reviewer (after approval)

• Actually approved the PR
• Labeled connected issues as demo or no demo
• Commented on connected issues about demo expectations _{or all connected issues are labeled no demo}
• Decided if PR can be labeled no sandbox
• PR title is appropriate as title of merge commit
• N reviews label is accurate
• Moved ticket to Approved column
• Assigned PR to current operator

Operator (before pushing merge the commit)

• Checked reindex label and r commit title tag
• Checked that demo expectations are clear _{or all connected issues are labeled no demo}
• Squashed PR branch and rebased onto develop
• Sanity-checked history
• Pushed PR branch to GitHub
• Pushed PR branch to GitLab dev and added sandbox label _{or PR is labeled no sandbox}
• Pushed PR branch to GitLab anvildev _{or PR is labeled no sandbox}
• Build passes in sandbox deployment _{or PR is labeled no sandbox}
• Build passes in anvilbox deployment _{or PR is labeled no sandbox}
• Reviewed build logs for anomalies in sandbox deployment _{or PR is labeled no sandbox}
• Reviewed build logs for anomalies in anvilbox deployment _{or PR is labeled no sandbox}
• Deleted unreferenced indices in sandbox _{or this PR does not remove catalogs or otherwise causes unreferenced indices}
• Deleted unreferenced indices in anvilbox _{or this PR does not remove catalogs or otherwise causes unreferenced indices}
• Started reindex in sandbox _{or this PR does not require reindexing sandbox}
• Started reindex in anvilbox _{or this PR does not require reindexing sandbox}
• Checked for failures in sandbox _{or this PR does not require reindexing sandbox}
• Checked for failures in anvilbox _{or this PR does not require reindexing sandbox}
• Added PR reference to merge commit title
• Collected commit title tags in merge commit title
• Moved connected issues to Merged column in ZenHub
• Pushed merge commit to GitHub

Operator (after pushing the merge commit)

• Shortened the PR chain _{or this PR is not labeled base}
• Pushed merge commit to GitLab dev _{or PR is labeled no sandbox}
• Pushed merge commit to GitLab anvildev _{or PR is labeled no sandbox}
• Build passes on GitLab dev¹
• Reviewed build logs for anomalies on GitLab dev¹
• Build passes on GitLab anvildev¹
• Reviewed build logs for anomalies on GitLab anvildev¹
• Deleted PR branch from GitHub
• Deleted PR branch from GitLab dev
• Deleted PR branch from GitLab anvildev

¹ When pushing the merge commit is skipped due to the PR being
labelled no sandbox, the next build triggered by a PR whose merge commit is
pushed determines this checklist item.

Operator (reindex)

• Deleted unreferenced indices in dev _{or this PR does not remove catalogs or otherwise causes unreferenced indices}
• Deleted unreferenced indices in anvildev _{or this PR does not remove catalogs or otherwise causes unreferenced indices}
• Started reindex in dev _{or this PR does not require reindexing}
• Started reindex in anvildev _{or this PR does not require reindexing}
• Checked for and triaged indexing failures in dev _{or this PR does not require reindexing}
• Checked for and triaged indexing failures in anvildev _{or this PR does not require reindexing}
• Emptied fail queues in dev deployment _{or this PR does not require reindexing}
• Emptied fail queues in anvildev deployment _{or this PR does not require reindexing}

Operator

• Unassigned PR

Shorthand for review comments

• L line is too long
• W line wrapping is wrong
• Q bad quotes
• F other formatting problem

[coveralls]

Coverage: 84.737% (+0.1%) from 84.627% when pulling d658544 on issues/danielsotirhos/12-html-escape-error-response into e85ce07 on develop.

[codecov]

Codecov Report

Merging #5035 (cf2a871) into develop (e85ce07) will increase coverage by 0.11%.
The diff coverage is 99.27%.

❗ Current head cf2a871 differs from pull request most recent head d658544. Consider uploading reports for the commit d658544 to get more accurate results

@@             Coverage Diff             @@
##           develop    #5035      +/-   ##
===========================================
+ Coverage    84.60%   84.71%   +0.11%     
===========================================
  Files          148      149       +1     
  Lines        18060    18197     +137     
===========================================
+ Hits         15280    15416     +136     
- Misses        2780     2781       +1     

Impacted Files	Coverage Δ
test/test_content_type.py	99.16% <99.16%> (ø)
src/azul/chalice.py	89.74% <100.00%> (+0.70%)	⬆️
test/app_test_case.py	89.55% <100.00%> (+0.32%)	⬆️

[nadove-ucsc]

More descriptive name

Suggested change

	def _wrapping_middleware(self, event, get_response):
	def _error_wrapping_middleware(self, event, get_response):

[nadove-ucsc]

I think it's more conventional to write the operands in this order. I certainly find it easier to read this way.

Suggested change

	if -1 < text_html and (star_star == -1 or text_html < star_star):
	if text_html > -1 and (star_star == -1 or text_html < star_star):

[nadove-ucsc]

Looks good 👍

[hannes-ucsc]

I'd like to see the tests prove that the original body is HTML-escaped. That's what's ultimately behind all this.

[hannes-ucsc]

I specified a different condition in the ticket. Please fix or explain the deviation.

[hannes-ucsc]

Suggested change

	if text_html > -1 and (star_star == -1 or text_html < star_star):
	if 0 <= text_html and (star_star < 0 or text_html < star_star):

[hannes-ucsc]

Explain use of { and str. What's the type of response.body?

[hannes-ucsc]

This is all very hard to parse and understand. Consider triple-quoted string and textwrap.dedent.

Also don't mix serialized and deserialized literals. Makes it even harder to examine for correctness.

[hannes-ucsc]

Suggested change

	with self.subTest(headers=headers):
	with self.subTest(accept=accept):

and swap lines

[hannes-ucsc]

Index: test/test_content_type.py
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/test/test_content_type.py b/test/test_content_type.py
--- a/test/test_content_type.py	(revision 145cc0157017310efbc5cbc6dbbfc973970962a5)
+++ b/test/test_content_type.py	(date 1681774413142)
@@ -106,8 +106,7 @@
         def route():
             return '<script />'
 
-        # noinspection PyUnusedLocal
-        def expected(debug: bool, wrapped: bool) -> Tuple[str, str]:
+        def expected(_debug: bool, _wrapped: bool) -> tuple[str, str]:
             text = '<script />'
             content_type = 'application/json'
             return text, content_type

https://stackoverflow.com/a/49447358/4171119 is what we usually do in this case.

tuple is now generic.

[hannes-ucsc]

Only use _ for unused parameters.

[hannes-ucsc]

Wrap all or None.

[hannes-ucsc]

We typically use k for key and then you won't need to wrap.