Validate UUID Format in Public API Requests to Prevent 500 Errors

[ozer550]

Summary

Preemptively check for pk to be UUID and return 400 bad request otherwise

Description of the change(s) you made

• Adds validation for UUID
• Adds Tests

Manual verification steps performed

1. Ran tests locally

References

closes #4788

Contributor's Checklist

PR process:

• If this is an important user-facing change, PR or related issue the CHANGELOG label been added to this PR. Note: items with this label will be added to the CHANGELOG at a later time
• If this includes an internal dependency change, a link to the diff is provided
• The docs label has been added if this introduces a change that needs to be updated in the user docs?
• If any Python requirements have changed, the updated requirements.txt files also included in this PR
• Opportunities for using Google Analytics here are noted
• Migrations are safe for a large db

Studio-specifc:

• All user-facing strings are translated properly
• The notranslate class been added to elements that shouldn't be translated by Google Chrome's automatic translation feature (e.g. icons, user-generated text)
• All UI components are LTR and RTL compliant
• Views are organized into pages, components, and layouts directories as described in the docs
• Users' storage used is recalculated properly on any changes to main tree files
• If there new ways this uses user data that needs to be factored into our Privacy Policy, it has been noted.

Testing:

• Code is clean and well-commented
• Contributor has fully tested the PR manually
• If there are any front-end changes, before/after screenshots are included
• Critical user journeys are covered by Gherkin stories
• Any new interactions have been added to the QA Sheet
• Critical and brittle code paths are covered by unit tests

---

Reviewer's Checklist

This section is for reviewers to fill out.

• Automated test coverage is satisfactory
• PR is fully functional
• PR has been tested for accessibility regressions
• External dependency files were updated if necessary (yarn and pip)
• Documentation is updated
• Contributor is in AUTHORS.md

[rtibbles]

We should be using 404s for these failed retrievals rather than 400s, I think.

I would also like to keep these APIs as parallel as possible with their Kolibri counterparts!

[rtibbles]

Given that this is a retrieve operation, a 404 would be fine here.

Also, you could just put a try catch around:

node = get_object_or_404(models.ContentNode.objects.all(), pk=pk)

Catch the value error and raise a 404 there.

[rtibbles]

Looks like in Kolibri that line was updated to use self.get_object() - not sure if that's catching the ValueError or not, but I suspect it may be: https://github.com/learningequality/kolibri/blob/develop/kolibri/core/content/public_api.py#L75

[rtibbles]

Again, can 404.

As this is mostly just copy pasted from Kolibri, we could just update the get_tree_queryset method to match the Kolibri implementation: https://github.com/learningequality/kolibri/blob/develop/kolibri/core/content/api.py#L1028

(this is useful because it means we continue to keep the two implementations as parallel as possible).

[rtibbles]

@ozer550 could you retarget this to hotfixes also?

[bjester]

We should be using 404s for these failed retrievals rather than 400s, I think.

For a public facing API, I'd say 400 is more appropriate, because it more clearly shows consumers of the API that there's an issue with a request they made. For internal or sensitive APIs, I would agree a 404 would be better.

[bjester]

Additionally, if we return a 400, we have better control at the web application firewall in Cloudflare. Should some perpetrator (perhaps even automated) be sending requests we know to be invalid, having the response be 400 clearly distinguishes between legitimate 404s allowing us to configure rules to block or challenge those perpetrators should they be creating numerous 400s

[ozer550]

@rtibbles @bjester wanted to know how to move on with this further, putting my thoughts here I implemented the 400 as the invalid pk was causing the error and "400 Bad Request" seemed most relevant to me according to the case. I agree with Blaine's comments here.

[rtibbles]

My only reasoning for a 404 is that it's a request for a specific object, with a specific identifier - as the identifier is bad, by definition it doesn't exist, so a 404 does work, this would also be parallel to the same public API on Kolibri. A 400 is also not a blocker for me though.