Add APIHandler base class

- ensures all API responses are json - sets CSP to prevent js execution on all API replies
2024-12-27 04:20:22 +08:00 · 2015-06-20 09:34:08 -07:00 · 2015-06-20 09:34:08 -07:00 · 709ed0d04b
commit 709ed0d04b
parent acbe5cc442
9 changed files with 35 additions and 26 deletions
--- a/notebook/base/handlers.py
+++ b/notebook/base/handlers.py
@ -301,7 +301,14 @@ class IPythonHandler(AuthenticatedHandler):
            html = self.render_template('error.html', **ns)
        
        self.write(html)
-        
+
+
+class APIHandler(IPythonHandler):
+    """Base class for API handlers"""
+    def finish(self, *args, **kwargs):
+        self.set_header('Content-Security-Policy', "default-src 'none'")
+        self.set_header('Content-Type', 'application/json')
+        return super(APIHandler, self).finish(*args, **kwargs)


 class Template404(IPythonHandler):
@ -364,6 +371,7 @@ def json_errors(method):
        try:
            result = yield gen.maybe_future(method(self, *args, **kwargs))
        except web.HTTPError as e:
+            self.set_header('Content-Type', 'application/json')
            status = e.status_code
            message = e.log_message
            self.log.warn(message)
@ -371,6 +379,7 @@ def json_errors(method):
            reply = dict(message=message, reason=e.reason)
            self.finish(json.dumps(reply))
        except Exception:
+            self.set_header('Content-Type', 'application/json')
            self.log.error("Unhandled error in API request", exc_info=True)
            status = 500
            message = "Unknown server error"
@ -447,7 +456,7 @@ class FileFindHandler(web.StaticFileHandler):
        return super(FileFindHandler, self).validate_absolute_path(root, absolute_path)


-class ApiVersionHandler(IPythonHandler):
+class APIVersionHandler(APIHandler):

    @json_errors
    def get(self):
@ -518,5 +527,5 @@ path_regex = r"(?P<path>(?:(?:/[^/]+)+|/?))"

 default_handlers = [
    (r".*/", TrailingSlashHandler),
-    (r"api", ApiVersionHandler)
+    (r"api", APIVersionHandler)
 ]
--- a/notebook/services/config/handlers.py
+++ b/notebook/services/config/handlers.py
@ -9,9 +9,9 @@ import errno
 from tornado import web

 from ipython_genutils.py3compat import PY3
-from ...base.handlers import IPythonHandler, json_errors
+from ...base.handlers import APIHandler, json_errors

-class ConfigHandler(IPythonHandler):
+class ConfigHandler(APIHandler):
    SUPPORTED_METHODS = ('GET', 'PUT', 'PATCH')

    @web.authenticated
--- a/notebook/services/contents/handlers.py
+++ b/notebook/services/contents/handlers.py
@ -14,7 +14,7 @@ from notebook.utils import url_path_join, url_escape
 from jupyter_client.jsonutil import date_default

 from notebook.base.handlers import (
-    IPythonHandler, json_errors, path_regex,
+    IPythonHandler, APIHandler, json_errors, path_regex,
 )


@ -78,7 +78,7 @@ def validate_model(model, expect_content):
            )


-class ContentsHandler(IPythonHandler):
+class ContentsHandler(APIHandler):

    SUPPORTED_METHODS = (u'GET', u'PUT', u'PATCH', u'POST', u'DELETE')

@ -260,7 +260,7 @@ class ContentsHandler(IPythonHandler):
        self.finish()


-class CheckpointsHandler(IPythonHandler):
+class CheckpointsHandler(APIHandler):

    SUPPORTED_METHODS = ('GET', 'POST')

@ -289,7 +289,7 @@ class CheckpointsHandler(IPythonHandler):
        self.finish(data)


-class ModifyCheckpointsHandler(IPythonHandler):
+class ModifyCheckpointsHandler(APIHandler):

    SUPPORTED_METHODS = ('POST', 'DELETE')

--- a/notebook/services/kernels/handlers.py
+++ b/notebook/services/kernels/handlers.py
@ -16,12 +16,12 @@ from jupyter_client.jsonutil import date_default
 from ipython_genutils.py3compat import cast_unicode
 from notebook.utils import url_path_join, url_escape

-from ...base.handlers import IPythonHandler, json_errors
+from ...base.handlers import IPythonHandler, APIHandler, json_errors
 from ...base.zmqhandlers import AuthenticatedZMQStreamHandler, deserialize_binary_message

 from jupyter_client import protocol_version as client_protocol_version

-class MainKernelHandler(IPythonHandler):
+class MainKernelHandler(APIHandler):

    @web.authenticated
    @json_errors
@ -49,7 +49,7 @@ class MainKernelHandler(IPythonHandler):
        self.finish(json.dumps(model))


-class KernelHandler(IPythonHandler):
+class KernelHandler(APIHandler):

    SUPPORTED_METHODS = ('DELETE', 'GET', 'OPTIONS')

@ -76,7 +76,7 @@ class KernelHandler(IPythonHandler):
        self.finish()


-class KernelActionHandler(IPythonHandler):
+class KernelActionHandler(APIHandler):

    @web.authenticated
    @json_errors
--- a/notebook/services/kernelspecs/handlers.py
+++ b/notebook/services/kernelspecs/handlers.py
@ -13,7 +13,7 @@ pjoin = os.path.join

 from tornado import web

-from ...base.handlers import IPythonHandler, json_errors
+from ...base.handlers import APIHandler, json_errors
 from ...utils import url_path_join

 def kernelspec_model(handler, name):
@ -43,7 +43,7 @@ def kernelspec_model(handler, name):
        )
    return d

-class MainKernelSpecHandler(IPythonHandler):
+class MainKernelSpecHandler(APIHandler):
    SUPPORTED_METHODS = ('GET', 'OPTIONS')

    @web.authenticated
@ -70,7 +70,7 @@ class MainKernelSpecHandler(IPythonHandler):
        self.finish()


-class KernelSpecHandler(IPythonHandler):
+class KernelSpecHandler(APIHandler):
    SUPPORTED_METHODS = ('GET',)

    @web.authenticated
--- a/notebook/services/nbconvert/handlers.py
+++ b/notebook/services/nbconvert/handlers.py
@ -2,9 +2,9 @@ import json

 from tornado import web

-from ...base.handlers import IPythonHandler, json_errors
+from ...base.handlers import APIHandler, json_errors

-class NbconvertRootHandler(IPythonHandler):
+class NbconvertRootHandler(APIHandler):
    SUPPORTED_METHODS = ('GET',)

    @web.authenticated
--- a/notebook/services/security/handlers.py
+++ b/notebook/services/security/handlers.py
@ -5,10 +5,10 @@

 from tornado import gen, web

-from ...base.handlers import IPythonHandler, json_errors
+from ...base.handlers import APIHandler, json_errors
 from . import csp_report_uri

-class CSPReportHandler(IPythonHandler):
+class CSPReportHandler(APIHandler):
    '''Accepts a content security policy violation report'''
    @web.authenticated
    @json_errors
--- a/notebook/services/sessions/handlers.py
+++ b/notebook/services/sessions/handlers.py
@ -10,13 +10,13 @@ import json

 from tornado import web

-from ...base.handlers import IPythonHandler, json_errors
+from ...base.handlers import APIHandler, json_errors
 from jupyter_client.jsonutil import date_default
 from notebook.utils import url_path_join, url_escape
 from jupyter_client.kernelspec import NoSuchKernel


-class SessionRootHandler(IPythonHandler):
+class SessionRootHandler(APIHandler):

    @web.authenticated
    @json_errors
@ -74,7 +74,7 @@ class SessionRootHandler(IPythonHandler):
        self.set_header('Access-Control-Allow-Headers', 'accept, content-type')
        self.finish()

-class SessionHandler(IPythonHandler):
+class SessionHandler(APIHandler):

    SUPPORTED_METHODS = ('GET', 'PATCH', 'DELETE')

--- a/notebook/terminal/api_handlers.py
+++ b/notebook/terminal/api_handlers.py
@ -1,9 +1,9 @@
 import json
 from tornado import web, gen
-from ..base.handlers import IPythonHandler, json_errors
+from ..base.handlers import APIHandler, json_errors
 from ..utils import url_path_join

-class TerminalRootHandler(IPythonHandler):
+class TerminalRootHandler(APIHandler):
    @web.authenticated
    @json_errors
    def get(self):
@ -19,7 +19,7 @@ class TerminalRootHandler(IPythonHandler):
        self.finish(json.dumps({'name': name}))


-class TerminalHandler(IPythonHandler):
+class TerminalHandler(APIHandler):
    SUPPORTED_METHODS = ('GET', 'DELETE')

    @web.authenticated