server/api: extra validation of list fields

server/szurubooru/api/post_api.py

@@ -47,14 +47,14 @@ def create_post(
     else:
         auth.verify_privilege(ctx.user, 'posts:create:identified')
     content = ctx.get_file('content')
-    tag_names = ctx.get_param_as_list('tags', default=[])
+    tag_names = ctx.get_param_as_string_list('tags', default=[])
     safety = ctx.get_param_as_string('safety')
     source = ctx.get_param_as_string('source', default='')
     if ctx.has_param('contentUrl') and not source:
         source = ctx.get_param_as_string('contentUrl', default='')
-    relations = ctx.get_param_as_list('relations', default=[])
+    relations = ctx.get_param_as_int_list('relations', default=[])
     notes = ctx.get_param_as_list('notes', default=[])
-    flags = ctx.get_param_as_list('flags', default=[])
+    flags = ctx.get_param_as_string_list('flags', default=[])
 
     post, new_tags = posts.create_post(
         content, tag_names, None if anonymous else ctx.user)
@@ -94,7 +94,8 @@ def update_post(ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
         posts.update_post_content(post, ctx.get_file('content'))
     if ctx.has_param('tags'):
         auth.verify_privilege(ctx.user, 'posts:edit:tags')
-        new_tags = posts.update_post_tags(post, ctx.get_param_as_list('tags'))
+        new_tags = posts.update_post_tags(
+            post, ctx.get_param_as_string_list('tags'))
         if len(new_tags):
             auth.verify_privilege(ctx.user, 'tags:create')
             db.session.flush()
@@ -110,13 +111,14 @@ def update_post(ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
         posts.update_post_source(post, ctx.get_param_as_string('contentUrl'))
     if ctx.has_param('relations'):
         auth.verify_privilege(ctx.user, 'posts:edit:relations')
-        posts.update_post_relations(post, ctx.get_param_as_list('relations'))
+        posts.update_post_relations(
+            post, ctx.get_param_as_int_list('relations'))
     if ctx.has_param('notes'):
         auth.verify_privilege(ctx.user, 'posts:edit:notes')
         posts.update_post_notes(post, ctx.get_param_as_list('notes'))
     if ctx.has_param('flags'):
         auth.verify_privilege(ctx.user, 'posts:edit:flags')
-        posts.update_post_flags(post, ctx.get_param_as_list('flags'))
+        posts.update_post_flags(post, ctx.get_param_as_string_list('flags'))
     if ctx.has_file('thumbnail'):
         auth.verify_privilege(ctx.user, 'posts:edit:thumbnail')
         posts.update_post_thumbnail(post, ctx.get_file('thumbnail'))

server/szurubooru/api/tag_api.py

@@ -38,11 +38,11 @@ def get_tags(ctx: rest.Context, _params: Dict[str, str]={}) -> rest.Response:
 def create_tag(ctx: rest.Context, _params: Dict[str, str]={}) -> rest.Response:
     auth.verify_privilege(ctx.user, 'tags:create')
 
-    names = ctx.get_param_as_list('names')
+    names = ctx.get_param_as_string_list('names')
     category = ctx.get_param_as_string('category')
     description = ctx.get_param_as_string('description', default='')
-    suggestions = ctx.get_param_as_list('suggestions', default=[])
-    implications = ctx.get_param_as_list('implications', default=[])
+    suggestions = ctx.get_param_as_string_list('suggestions', default=[])
+    implications = ctx.get_param_as_string_list('implications', default=[])
 
     _create_if_needed(suggestions, ctx.user)
     _create_if_needed(implications, ctx.user)
@@ -71,7 +71,7 @@ def update_tag(ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
     versions.bump_version(tag)
     if ctx.has_param('names'):
         auth.verify_privilege(ctx.user, 'tags:edit:names')
-        tags.update_tag_names(tag, ctx.get_param_as_list('names'))
+        tags.update_tag_names(tag, ctx.get_param_as_string_list('names'))
     if ctx.has_param('category'):
         auth.verify_privilege(ctx.user, 'tags:edit:category')
         tags.update_tag_category_name(
@@ -82,12 +82,12 @@ def update_tag(ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
             tag, ctx.get_param_as_string('description'))
     if ctx.has_param('suggestions'):
         auth.verify_privilege(ctx.user, 'tags:edit:suggestions')
-        suggestions = ctx.get_param_as_list('suggestions')
+        suggestions = ctx.get_param_as_string_list('suggestions')
         _create_if_needed(suggestions, ctx.user)
         tags.update_tag_suggestions(tag, suggestions)
     if ctx.has_param('implications'):
         auth.verify_privilege(ctx.user, 'tags:edit:implications')
-        implications = ctx.get_param_as_list('implications')
+        implications = ctx.get_param_as_string_list('implications')
         _create_if_needed(implications, ctx.user)
         tags.update_tag_implications(tag, implications)
     tag.last_edit_time = datetime.utcnow()

server/szurubooru/rest/context.py

@@ -86,6 +86,28 @@ class Context:
         raise errors.InvalidParameterError(
             'Parameter %r must be a list.' % name)
 
+    def get_param_as_int_list(
+            self,
+            name: str,
+            default: Union[object, List[int]]=MISSING) -> List[int]:
+        ret = self.get_param_as_list(name, default)
+        for item in ret:
+            if type(item) is not int:
+                raise errors.InvalidParameterError(
+                    'Parameter %r must be a list of integer values.' % name)
+        return ret
+
+    def get_param_as_string_list(
+            self,
+            name: str,
+            default: Union[object, List[str]]=MISSING) -> List[str]:
+        ret = self.get_param_as_list(name, default)
+        for item in ret:
+            if type(item) is not str:
+                raise errors.InvalidParameterError(
+                    'Parameter %r must be a list of string values.' % name)
+        return ret
+
     def get_param_as_string(
             self,
             name: str,