From 3d04ad1d05edb09c8eac32fc6a0752fadf20a04e Mon Sep 17 00:00:00 2001 From: "stainless-app[bot]" <142633134+stainless-app[bot]@users.noreply.github.com> Date: Fri, 20 Mar 2026 03:11:13 +0000 Subject: [PATCH 1/3] fix: sanitize endpoint path params --- src/onebusaway/_utils/__init__.py | 1 + src/onebusaway/_utils/_path.py | 127 ++++++++++++++++++ src/onebusaway/resources/agency.py | 5 +- .../resources/arrival_and_departure.py | 10 +- src/onebusaway/resources/block.py | 5 +- .../resources/report_problem_with_stop.py | 6 +- .../resources/report_problem_with_trip.py | 6 +- src/onebusaway/resources/route.py | 5 +- .../resources/route_ids_for_agency.py | 5 +- src/onebusaway/resources/routes_for_agency.py | 5 +- .../resources/schedule_for_route.py | 6 +- src/onebusaway/resources/schedule_for_stop.py | 6 +- src/onebusaway/resources/shape.py | 5 +- src/onebusaway/resources/stop.py | 5 +- .../resources/stop_ids_for_agency.py | 5 +- src/onebusaway/resources/stops_for_agency.py | 5 +- src/onebusaway/resources/stops_for_route.py | 6 +- src/onebusaway/resources/trip.py | 5 +- src/onebusaway/resources/trip_details.py | 6 +- src/onebusaway/resources/trip_for_vehicle.py | 6 +- src/onebusaway/resources/trips_for_route.py | 6 +- .../resources/vehicles_for_agency.py | 6 +- tests/test_utils/test_path.py | 89 ++++++++++++ 23 files changed, 279 insertions(+), 52 deletions(-) create mode 100644 src/onebusaway/_utils/_path.py create mode 100644 tests/test_utils/test_path.py diff --git a/src/onebusaway/_utils/__init__.py b/src/onebusaway/_utils/__init__.py index dc64e29..10cb66d 100644 --- a/src/onebusaway/_utils/__init__.py +++ b/src/onebusaway/_utils/__init__.py @@ -1,3 +1,4 @@ +from ._path import path_template as path_template from ._sync import asyncify as asyncify from ._proxy import LazyProxy as LazyProxy from ._utils import ( diff --git a/src/onebusaway/_utils/_path.py b/src/onebusaway/_utils/_path.py new file mode 100644 index 0000000..4d6e1e4 --- /dev/null +++ b/src/onebusaway/_utils/_path.py @@ -0,0 +1,127 @@ +from __future__ import annotations + +import re +from typing import ( + Any, + Mapping, + Callable, +) +from urllib.parse import quote + +# Matches '.' or '..' where each dot is either literal or percent-encoded (%2e / %2E). +_DOT_SEGMENT_RE = re.compile(r"^(?:\.|%2[eE]){1,2}$") + +_PLACEHOLDER_RE = re.compile(r"\{(\w+)\}") + + +def _quote_path_segment_part(value: str) -> str: + """Percent-encode `value` for use in a URI path segment. + + Considers characters not in `pchar` set from RFC 3986 §3.3 to be unsafe. + https://datatracker.ietf.org/doc/html/rfc3986#section-3.3 + """ + # quote() already treats unreserved characters (letters, digits, and -._~) + # as safe, so we only need to add sub-delims, ':', and '@'. + # Notably, unlike the default `safe` for quote(), / is unsafe and must be quoted. + return quote(value, safe="!$&'()*+,;=:@") + + +def _quote_query_part(value: str) -> str: + """Percent-encode `value` for use in a URI query string. + + Considers &, = and characters not in `query` set from RFC 3986 §3.4 to be unsafe. + https://datatracker.ietf.org/doc/html/rfc3986#section-3.4 + """ + return quote(value, safe="!$'()*+,;:@/?") + + +def _quote_fragment_part(value: str) -> str: + """Percent-encode `value` for use in a URI fragment. + + Considers characters not in `fragment` set from RFC 3986 §3.5 to be unsafe. + https://datatracker.ietf.org/doc/html/rfc3986#section-3.5 + """ + return quote(value, safe="!$&'()*+,;=:@/?") + + +def _interpolate( + template: str, + values: Mapping[str, Any], + quoter: Callable[[str], str], +) -> str: + """Replace {name} placeholders in `template`, quoting each value with `quoter`. + + Placeholder names are looked up in `values`. + + Raises: + KeyError: If a placeholder is not found in `values`. + """ + # re.split with a capturing group returns alternating + # [text, name, text, name, ..., text] elements. + parts = _PLACEHOLDER_RE.split(template) + + for i in range(1, len(parts), 2): + name = parts[i] + if name not in values: + raise KeyError(f"a value for placeholder {{{name}}} was not provided") + val = values[name] + if val is None: + parts[i] = "null" + elif isinstance(val, bool): + parts[i] = "true" if val else "false" + else: + parts[i] = quoter(str(values[name])) + + return "".join(parts) + + +def path_template(template: str, /, **kwargs: Any) -> str: + """Interpolate {name} placeholders in `template` from keyword arguments. + + Args: + template: The template string containing {name} placeholders. + **kwargs: Keyword arguments to interpolate into the template. + + Returns: + The template with placeholders interpolated and percent-encoded. + + Safe characters for percent-encoding are dependent on the URI component. + Placeholders in path and fragment portions are percent-encoded where the `segment` + and `fragment` sets from RFC 3986 respectively are considered safe. + Placeholders in the query portion are percent-encoded where the `query` set from + RFC 3986 §3.3 is considered safe except for = and & characters. + + Raises: + KeyError: If a placeholder is not found in `kwargs`. + ValueError: If resulting path contains /./ or /../ segments (including percent-encoded dot-segments). + """ + # Split the template into path, query, and fragment portions. + fragment_template: str | None = None + query_template: str | None = None + + rest = template + if "#" in rest: + rest, fragment_template = rest.split("#", 1) + if "?" in rest: + rest, query_template = rest.split("?", 1) + path_template = rest + + # Interpolate each portion with the appropriate quoting rules. + path_result = _interpolate(path_template, kwargs, _quote_path_segment_part) + + # Reject dot-segments (. and ..) in the final assembled path. The check + # runs after interpolation so that adjacent placeholders or a mix of static + # text and placeholders that together form a dot-segment are caught. + # Also reject percent-encoded dot-segments to protect against incorrectly + # implemented normalization in servers/proxies. + for segment in path_result.split("/"): + if _DOT_SEGMENT_RE.match(segment): + raise ValueError(f"Constructed path {path_result!r} contains dot-segment {segment!r} which is not allowed") + + result = path_result + if query_template is not None: + result += "?" + _interpolate(query_template, kwargs, _quote_query_part) + if fragment_template is not None: + result += "#" + _interpolate(fragment_template, kwargs, _quote_fragment_part) + + return result diff --git a/src/onebusaway/resources/agency.py b/src/onebusaway/resources/agency.py index 6510af2..f877a6f 100644 --- a/src/onebusaway/resources/agency.py +++ b/src/onebusaway/resources/agency.py @@ -5,6 +5,7 @@ import httpx from .._types import Body, Query, Headers, NotGiven, not_given +from .._utils import path_template from .._compat import cached_property from .._resource import SyncAPIResource, AsyncAPIResource from .._response import ( @@ -65,7 +66,7 @@ def retrieve( if not agency_id: raise ValueError(f"Expected a non-empty value for `agency_id` but received {agency_id!r}") return self._get( - f"/api/where/agency/{agency_id}.json", + path_template("/api/where/agency/{agency_id}.json", agency_id=agency_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout ), @@ -119,7 +120,7 @@ async def retrieve( if not agency_id: raise ValueError(f"Expected a non-empty value for `agency_id` but received {agency_id!r}") return await self._get( - f"/api/where/agency/{agency_id}.json", + path_template("/api/where/agency/{agency_id}.json", agency_id=agency_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout ), diff --git a/src/onebusaway/resources/arrival_and_departure.py b/src/onebusaway/resources/arrival_and_departure.py index 7f935c8..b2dce82 100644 --- a/src/onebusaway/resources/arrival_and_departure.py +++ b/src/onebusaway/resources/arrival_and_departure.py @@ -9,7 +9,7 @@ from ..types import arrival_and_departure_list_params, arrival_and_departure_retrieve_params from .._types import Body, Omit, Query, Headers, NotGiven, omit, not_given -from .._utils import maybe_transform, async_maybe_transform +from .._utils import path_template, maybe_transform, async_maybe_transform from .._compat import cached_property from .._resource import SyncAPIResource, AsyncAPIResource from .._response import ( @@ -76,7 +76,7 @@ def retrieve( if not stop_id: raise ValueError(f"Expected a non-empty value for `stop_id` but received {stop_id!r}") return self._get( - f"/api/where/arrival-and-departure-for-stop/{stop_id}.json", + path_template("/api/where/arrival-and-departure-for-stop/{stop_id}.json", stop_id=stop_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, @@ -131,7 +131,7 @@ def list( if not stop_id: raise ValueError(f"Expected a non-empty value for `stop_id` but received {stop_id!r}") return self._get( - f"/api/where/arrivals-and-departures-for-stop/{stop_id}.json", + path_template("/api/where/arrivals-and-departures-for-stop/{stop_id}.json", stop_id=stop_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, @@ -201,7 +201,7 @@ async def retrieve( if not stop_id: raise ValueError(f"Expected a non-empty value for `stop_id` but received {stop_id!r}") return await self._get( - f"/api/where/arrival-and-departure-for-stop/{stop_id}.json", + path_template("/api/where/arrival-and-departure-for-stop/{stop_id}.json", stop_id=stop_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, @@ -256,7 +256,7 @@ async def list( if not stop_id: raise ValueError(f"Expected a non-empty value for `stop_id` but received {stop_id!r}") return await self._get( - f"/api/where/arrivals-and-departures-for-stop/{stop_id}.json", + path_template("/api/where/arrivals-and-departures-for-stop/{stop_id}.json", stop_id=stop_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, diff --git a/src/onebusaway/resources/block.py b/src/onebusaway/resources/block.py index 5ce7bdc..93a2d31 100644 --- a/src/onebusaway/resources/block.py +++ b/src/onebusaway/resources/block.py @@ -5,6 +5,7 @@ import httpx from .._types import Body, Query, Headers, NotGiven, not_given +from .._utils import path_template from .._compat import cached_property from .._resource import SyncAPIResource, AsyncAPIResource from .._response import ( @@ -65,7 +66,7 @@ def retrieve( if not block_id: raise ValueError(f"Expected a non-empty value for `block_id` but received {block_id!r}") return self._get( - f"/api/where/block/{block_id}.json", + path_template("/api/where/block/{block_id}.json", block_id=block_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout ), @@ -119,7 +120,7 @@ async def retrieve( if not block_id: raise ValueError(f"Expected a non-empty value for `block_id` but received {block_id!r}") return await self._get( - f"/api/where/block/{block_id}.json", + path_template("/api/where/block/{block_id}.json", block_id=block_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout ), diff --git a/src/onebusaway/resources/report_problem_with_stop.py b/src/onebusaway/resources/report_problem_with_stop.py index 6127491..071dc6f 100644 --- a/src/onebusaway/resources/report_problem_with_stop.py +++ b/src/onebusaway/resources/report_problem_with_stop.py @@ -8,7 +8,7 @@ from ..types import report_problem_with_stop_retrieve_params from .._types import Body, Omit, Query, Headers, NotGiven, omit, not_given -from .._utils import maybe_transform, async_maybe_transform +from .._utils import path_template, maybe_transform, async_maybe_transform from .._compat import cached_property from .._resource import SyncAPIResource, AsyncAPIResource from .._response import ( @@ -85,7 +85,7 @@ def retrieve( if not stop_id: raise ValueError(f"Expected a non-empty value for `stop_id` but received {stop_id!r}") return self._get( - f"/api/where/report-problem-with-stop/{stop_id}.json", + path_template("/api/where/report-problem-with-stop/{stop_id}.json", stop_id=stop_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, @@ -168,7 +168,7 @@ async def retrieve( if not stop_id: raise ValueError(f"Expected a non-empty value for `stop_id` but received {stop_id!r}") return await self._get( - f"/api/where/report-problem-with-stop/{stop_id}.json", + path_template("/api/where/report-problem-with-stop/{stop_id}.json", stop_id=stop_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, diff --git a/src/onebusaway/resources/report_problem_with_trip.py b/src/onebusaway/resources/report_problem_with_trip.py index 6c3dc23..4c4e460 100644 --- a/src/onebusaway/resources/report_problem_with_trip.py +++ b/src/onebusaway/resources/report_problem_with_trip.py @@ -8,7 +8,7 @@ from ..types import report_problem_with_trip_retrieve_params from .._types import Body, Omit, Query, Headers, NotGiven, omit, not_given -from .._utils import maybe_transform, async_maybe_transform +from .._utils import path_template, maybe_transform, async_maybe_transform from .._compat import cached_property from .._resource import SyncAPIResource, AsyncAPIResource from .._response import ( @@ -107,7 +107,7 @@ def retrieve( if not trip_id: raise ValueError(f"Expected a non-empty value for `trip_id` but received {trip_id!r}") return self._get( - f"/api/where/report-problem-with-trip/{trip_id}.json", + path_template("/api/where/report-problem-with-trip/{trip_id}.json", trip_id=trip_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, @@ -217,7 +217,7 @@ async def retrieve( if not trip_id: raise ValueError(f"Expected a non-empty value for `trip_id` but received {trip_id!r}") return await self._get( - f"/api/where/report-problem-with-trip/{trip_id}.json", + path_template("/api/where/report-problem-with-trip/{trip_id}.json", trip_id=trip_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, diff --git a/src/onebusaway/resources/route.py b/src/onebusaway/resources/route.py index be67b63..4b40004 100644 --- a/src/onebusaway/resources/route.py +++ b/src/onebusaway/resources/route.py @@ -5,6 +5,7 @@ import httpx from .._types import Body, Query, Headers, NotGiven, not_given +from .._utils import path_template from .._compat import cached_property from .._resource import SyncAPIResource, AsyncAPIResource from .._response import ( @@ -65,7 +66,7 @@ def retrieve( if not route_id: raise ValueError(f"Expected a non-empty value for `route_id` but received {route_id!r}") return self._get( - f"/api/where/route/{route_id}.json", + path_template("/api/where/route/{route_id}.json", route_id=route_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout ), @@ -119,7 +120,7 @@ async def retrieve( if not route_id: raise ValueError(f"Expected a non-empty value for `route_id` but received {route_id!r}") return await self._get( - f"/api/where/route/{route_id}.json", + path_template("/api/where/route/{route_id}.json", route_id=route_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout ), diff --git a/src/onebusaway/resources/route_ids_for_agency.py b/src/onebusaway/resources/route_ids_for_agency.py index c9d7ef5..956bca9 100644 --- a/src/onebusaway/resources/route_ids_for_agency.py +++ b/src/onebusaway/resources/route_ids_for_agency.py @@ -5,6 +5,7 @@ import httpx from .._types import Body, Query, Headers, NotGiven, not_given +from .._utils import path_template from .._compat import cached_property from .._resource import SyncAPIResource, AsyncAPIResource from .._response import ( @@ -65,7 +66,7 @@ def list( if not agency_id: raise ValueError(f"Expected a non-empty value for `agency_id` but received {agency_id!r}") return self._get( - f"/api/where/route-ids-for-agency/{agency_id}.json", + path_template("/api/where/route-ids-for-agency/{agency_id}.json", agency_id=agency_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout ), @@ -119,7 +120,7 @@ async def list( if not agency_id: raise ValueError(f"Expected a non-empty value for `agency_id` but received {agency_id!r}") return await self._get( - f"/api/where/route-ids-for-agency/{agency_id}.json", + path_template("/api/where/route-ids-for-agency/{agency_id}.json", agency_id=agency_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout ), diff --git a/src/onebusaway/resources/routes_for_agency.py b/src/onebusaway/resources/routes_for_agency.py index b4b36da..6845cb8 100644 --- a/src/onebusaway/resources/routes_for_agency.py +++ b/src/onebusaway/resources/routes_for_agency.py @@ -5,6 +5,7 @@ import httpx from .._types import Body, Query, Headers, NotGiven, not_given +from .._utils import path_template from .._compat import cached_property from .._resource import SyncAPIResource, AsyncAPIResource from .._response import ( @@ -65,7 +66,7 @@ def list( if not agency_id: raise ValueError(f"Expected a non-empty value for `agency_id` but received {agency_id!r}") return self._get( - f"/api/where/routes-for-agency/{agency_id}.json", + path_template("/api/where/routes-for-agency/{agency_id}.json", agency_id=agency_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout ), @@ -119,7 +120,7 @@ async def list( if not agency_id: raise ValueError(f"Expected a non-empty value for `agency_id` but received {agency_id!r}") return await self._get( - f"/api/where/routes-for-agency/{agency_id}.json", + path_template("/api/where/routes-for-agency/{agency_id}.json", agency_id=agency_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout ), diff --git a/src/onebusaway/resources/schedule_for_route.py b/src/onebusaway/resources/schedule_for_route.py index 0c12dd4..5df8b5c 100644 --- a/src/onebusaway/resources/schedule_for_route.py +++ b/src/onebusaway/resources/schedule_for_route.py @@ -9,7 +9,7 @@ from ..types import schedule_for_route_retrieve_params from .._types import Body, Omit, Query, Headers, NotGiven, omit, not_given -from .._utils import maybe_transform, async_maybe_transform +from .._utils import path_template, maybe_transform, async_maybe_transform from .._compat import cached_property from .._resource import SyncAPIResource, AsyncAPIResource from .._response import ( @@ -74,7 +74,7 @@ def retrieve( if not route_id: raise ValueError(f"Expected a non-empty value for `route_id` but received {route_id!r}") return self._get( - f"/api/where/schedule-for-route/{route_id}.json", + path_template("/api/where/schedule-for-route/{route_id}.json", route_id=route_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, @@ -138,7 +138,7 @@ async def retrieve( if not route_id: raise ValueError(f"Expected a non-empty value for `route_id` but received {route_id!r}") return await self._get( - f"/api/where/schedule-for-route/{route_id}.json", + path_template("/api/where/schedule-for-route/{route_id}.json", route_id=route_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, diff --git a/src/onebusaway/resources/schedule_for_stop.py b/src/onebusaway/resources/schedule_for_stop.py index 06ebe98..894b014 100644 --- a/src/onebusaway/resources/schedule_for_stop.py +++ b/src/onebusaway/resources/schedule_for_stop.py @@ -9,7 +9,7 @@ from ..types import schedule_for_stop_retrieve_params from .._types import Body, Omit, Query, Headers, NotGiven, omit, not_given -from .._utils import maybe_transform, async_maybe_transform +from .._utils import path_template, maybe_transform, async_maybe_transform from .._compat import cached_property from .._resource import SyncAPIResource, AsyncAPIResource from .._response import ( @@ -74,7 +74,7 @@ def retrieve( if not stop_id: raise ValueError(f"Expected a non-empty value for `stop_id` but received {stop_id!r}") return self._get( - f"/api/where/schedule-for-stop/{stop_id}.json", + path_template("/api/where/schedule-for-stop/{stop_id}.json", stop_id=stop_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, @@ -136,7 +136,7 @@ async def retrieve( if not stop_id: raise ValueError(f"Expected a non-empty value for `stop_id` but received {stop_id!r}") return await self._get( - f"/api/where/schedule-for-stop/{stop_id}.json", + path_template("/api/where/schedule-for-stop/{stop_id}.json", stop_id=stop_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, diff --git a/src/onebusaway/resources/shape.py b/src/onebusaway/resources/shape.py index 8001169..42d75ac 100644 --- a/src/onebusaway/resources/shape.py +++ b/src/onebusaway/resources/shape.py @@ -5,6 +5,7 @@ import httpx from .._types import Body, Query, Headers, NotGiven, not_given +from .._utils import path_template from .._compat import cached_property from .._resource import SyncAPIResource, AsyncAPIResource from .._response import ( @@ -65,7 +66,7 @@ def retrieve( if not shape_id: raise ValueError(f"Expected a non-empty value for `shape_id` but received {shape_id!r}") return self._get( - f"/api/where/shape/{shape_id}.json", + path_template("/api/where/shape/{shape_id}.json", shape_id=shape_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout ), @@ -119,7 +120,7 @@ async def retrieve( if not shape_id: raise ValueError(f"Expected a non-empty value for `shape_id` but received {shape_id!r}") return await self._get( - f"/api/where/shape/{shape_id}.json", + path_template("/api/where/shape/{shape_id}.json", shape_id=shape_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout ), diff --git a/src/onebusaway/resources/stop.py b/src/onebusaway/resources/stop.py index 21a8cf1..9efd7f2 100644 --- a/src/onebusaway/resources/stop.py +++ b/src/onebusaway/resources/stop.py @@ -5,6 +5,7 @@ import httpx from .._types import Body, Query, Headers, NotGiven, not_given +from .._utils import path_template from .._compat import cached_property from .._resource import SyncAPIResource, AsyncAPIResource from .._response import ( @@ -65,7 +66,7 @@ def retrieve( if not stop_id: raise ValueError(f"Expected a non-empty value for `stop_id` but received {stop_id!r}") return self._get( - f"/api/where/stop/{stop_id}.json", + path_template("/api/where/stop/{stop_id}.json", stop_id=stop_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout ), @@ -119,7 +120,7 @@ async def retrieve( if not stop_id: raise ValueError(f"Expected a non-empty value for `stop_id` but received {stop_id!r}") return await self._get( - f"/api/where/stop/{stop_id}.json", + path_template("/api/where/stop/{stop_id}.json", stop_id=stop_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout ), diff --git a/src/onebusaway/resources/stop_ids_for_agency.py b/src/onebusaway/resources/stop_ids_for_agency.py index a14de79..5127022 100644 --- a/src/onebusaway/resources/stop_ids_for_agency.py +++ b/src/onebusaway/resources/stop_ids_for_agency.py @@ -5,6 +5,7 @@ import httpx from .._types import Body, Query, Headers, NotGiven, not_given +from .._utils import path_template from .._compat import cached_property from .._resource import SyncAPIResource, AsyncAPIResource from .._response import ( @@ -65,7 +66,7 @@ def list( if not agency_id: raise ValueError(f"Expected a non-empty value for `agency_id` but received {agency_id!r}") return self._get( - f"/api/where/stop-ids-for-agency/{agency_id}.json", + path_template("/api/where/stop-ids-for-agency/{agency_id}.json", agency_id=agency_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout ), @@ -119,7 +120,7 @@ async def list( if not agency_id: raise ValueError(f"Expected a non-empty value for `agency_id` but received {agency_id!r}") return await self._get( - f"/api/where/stop-ids-for-agency/{agency_id}.json", + path_template("/api/where/stop-ids-for-agency/{agency_id}.json", agency_id=agency_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout ), diff --git a/src/onebusaway/resources/stops_for_agency.py b/src/onebusaway/resources/stops_for_agency.py index 74da5c1..70f5597 100644 --- a/src/onebusaway/resources/stops_for_agency.py +++ b/src/onebusaway/resources/stops_for_agency.py @@ -5,6 +5,7 @@ import httpx from .._types import Body, Query, Headers, NotGiven, not_given +from .._utils import path_template from .._compat import cached_property from .._resource import SyncAPIResource, AsyncAPIResource from .._response import ( @@ -65,7 +66,7 @@ def list( if not agency_id: raise ValueError(f"Expected a non-empty value for `agency_id` but received {agency_id!r}") return self._get( - f"/api/where/stops-for-agency/{agency_id}.json", + path_template("/api/where/stops-for-agency/{agency_id}.json", agency_id=agency_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout ), @@ -119,7 +120,7 @@ async def list( if not agency_id: raise ValueError(f"Expected a non-empty value for `agency_id` but received {agency_id!r}") return await self._get( - f"/api/where/stops-for-agency/{agency_id}.json", + path_template("/api/where/stops-for-agency/{agency_id}.json", agency_id=agency_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout ), diff --git a/src/onebusaway/resources/stops_for_route.py b/src/onebusaway/resources/stops_for_route.py index 0d940e3..1540baa 100644 --- a/src/onebusaway/resources/stops_for_route.py +++ b/src/onebusaway/resources/stops_for_route.py @@ -6,7 +6,7 @@ from ..types import stops_for_route_list_params from .._types import Body, Omit, Query, Headers, NotGiven, omit, not_given -from .._utils import maybe_transform, async_maybe_transform +from .._utils import path_template, maybe_transform, async_maybe_transform from .._compat import cached_property from .._resource import SyncAPIResource, AsyncAPIResource from .._response import ( @@ -73,7 +73,7 @@ def list( if not route_id: raise ValueError(f"Expected a non-empty value for `route_id` but received {route_id!r}") return self._get( - f"/api/where/stops-for-route/{route_id}.json", + path_template("/api/where/stops-for-route/{route_id}.json", route_id=route_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, @@ -143,7 +143,7 @@ async def list( if not route_id: raise ValueError(f"Expected a non-empty value for `route_id` but received {route_id!r}") return await self._get( - f"/api/where/stops-for-route/{route_id}.json", + path_template("/api/where/stops-for-route/{route_id}.json", route_id=route_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, diff --git a/src/onebusaway/resources/trip.py b/src/onebusaway/resources/trip.py index b13fb0d..4fd0004 100644 --- a/src/onebusaway/resources/trip.py +++ b/src/onebusaway/resources/trip.py @@ -5,6 +5,7 @@ import httpx from .._types import Body, Query, Headers, NotGiven, not_given +from .._utils import path_template from .._compat import cached_property from .._resource import SyncAPIResource, AsyncAPIResource from .._response import ( @@ -65,7 +66,7 @@ def retrieve( if not trip_id: raise ValueError(f"Expected a non-empty value for `trip_id` but received {trip_id!r}") return self._get( - f"/api/where/trip/{trip_id}.json", + path_template("/api/where/trip/{trip_id}.json", trip_id=trip_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout ), @@ -119,7 +120,7 @@ async def retrieve( if not trip_id: raise ValueError(f"Expected a non-empty value for `trip_id` but received {trip_id!r}") return await self._get( - f"/api/where/trip/{trip_id}.json", + path_template("/api/where/trip/{trip_id}.json", trip_id=trip_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout ), diff --git a/src/onebusaway/resources/trip_details.py b/src/onebusaway/resources/trip_details.py index 3c5e8b0..a2728d6 100644 --- a/src/onebusaway/resources/trip_details.py +++ b/src/onebusaway/resources/trip_details.py @@ -6,7 +6,7 @@ from ..types import trip_detail_retrieve_params from .._types import Body, Omit, Query, Headers, NotGiven, omit, not_given -from .._utils import maybe_transform, async_maybe_transform +from .._utils import path_template, maybe_transform, async_maybe_transform from .._compat import cached_property from .._resource import SyncAPIResource, AsyncAPIResource from .._response import ( @@ -85,7 +85,7 @@ def retrieve( if not trip_id: raise ValueError(f"Expected a non-empty value for `trip_id` but received {trip_id!r}") return self._get( - f"/api/where/trip-details/{trip_id}.json", + path_template("/api/where/trip-details/{trip_id}.json", trip_id=trip_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, @@ -170,7 +170,7 @@ async def retrieve( if not trip_id: raise ValueError(f"Expected a non-empty value for `trip_id` but received {trip_id!r}") return await self._get( - f"/api/where/trip-details/{trip_id}.json", + path_template("/api/where/trip-details/{trip_id}.json", trip_id=trip_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, diff --git a/src/onebusaway/resources/trip_for_vehicle.py b/src/onebusaway/resources/trip_for_vehicle.py index 510ea65..cac7897 100644 --- a/src/onebusaway/resources/trip_for_vehicle.py +++ b/src/onebusaway/resources/trip_for_vehicle.py @@ -6,7 +6,7 @@ from ..types import trip_for_vehicle_retrieve_params from .._types import Body, Omit, Query, Headers, NotGiven, omit, not_given -from .._utils import maybe_transform, async_maybe_transform +from .._utils import path_template, maybe_transform, async_maybe_transform from .._compat import cached_property from .._resource import SyncAPIResource, AsyncAPIResource from .._response import ( @@ -82,7 +82,7 @@ def retrieve( if not vehicle_id: raise ValueError(f"Expected a non-empty value for `vehicle_id` but received {vehicle_id!r}") return self._get( - f"/api/where/trip-for-vehicle/{vehicle_id}.json", + path_template("/api/where/trip-for-vehicle/{vehicle_id}.json", vehicle_id=vehicle_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, @@ -163,7 +163,7 @@ async def retrieve( if not vehicle_id: raise ValueError(f"Expected a non-empty value for `vehicle_id` but received {vehicle_id!r}") return await self._get( - f"/api/where/trip-for-vehicle/{vehicle_id}.json", + path_template("/api/where/trip-for-vehicle/{vehicle_id}.json", vehicle_id=vehicle_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, diff --git a/src/onebusaway/resources/trips_for_route.py b/src/onebusaway/resources/trips_for_route.py index 5ada544..ed7840d 100644 --- a/src/onebusaway/resources/trips_for_route.py +++ b/src/onebusaway/resources/trips_for_route.py @@ -6,7 +6,7 @@ from ..types import trips_for_route_list_params from .._types import Body, Omit, Query, Headers, NotGiven, omit, not_given -from .._utils import maybe_transform, async_maybe_transform +from .._utils import path_template, maybe_transform, async_maybe_transform from .._compat import cached_property from .._resource import SyncAPIResource, AsyncAPIResource from .._response import ( @@ -77,7 +77,7 @@ def list( if not route_id: raise ValueError(f"Expected a non-empty value for `route_id` but received {route_id!r}") return self._get( - f"/api/where/trips-for-route/{route_id}.json", + path_template("/api/where/trips-for-route/{route_id}.json", route_id=route_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, @@ -152,7 +152,7 @@ async def list( if not route_id: raise ValueError(f"Expected a non-empty value for `route_id` but received {route_id!r}") return await self._get( - f"/api/where/trips-for-route/{route_id}.json", + path_template("/api/where/trips-for-route/{route_id}.json", route_id=route_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, diff --git a/src/onebusaway/resources/vehicles_for_agency.py b/src/onebusaway/resources/vehicles_for_agency.py index aba7f80..80c6fd2 100644 --- a/src/onebusaway/resources/vehicles_for_agency.py +++ b/src/onebusaway/resources/vehicles_for_agency.py @@ -6,7 +6,7 @@ from ..types import vehicles_for_agency_list_params from .._types import Body, Omit, Query, Headers, NotGiven, omit, not_given -from .._utils import maybe_transform, async_maybe_transform +from .._utils import path_template, maybe_transform, async_maybe_transform from .._compat import cached_property from .._resource import SyncAPIResource, AsyncAPIResource from .._response import ( @@ -70,7 +70,7 @@ def list( if not agency_id: raise ValueError(f"Expected a non-empty value for `agency_id` but received {agency_id!r}") return self._get( - f"/api/where/vehicles-for-agency/{agency_id}.json", + path_template("/api/where/vehicles-for-agency/{agency_id}.json", agency_id=agency_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, @@ -131,7 +131,7 @@ async def list( if not agency_id: raise ValueError(f"Expected a non-empty value for `agency_id` but received {agency_id!r}") return await self._get( - f"/api/where/vehicles-for-agency/{agency_id}.json", + path_template("/api/where/vehicles-for-agency/{agency_id}.json", agency_id=agency_id), options=make_request_options( extra_headers=extra_headers, extra_query=extra_query, diff --git a/tests/test_utils/test_path.py b/tests/test_utils/test_path.py new file mode 100644 index 0000000..5cc6b87 --- /dev/null +++ b/tests/test_utils/test_path.py @@ -0,0 +1,89 @@ +from __future__ import annotations + +from typing import Any + +import pytest + +from onebusaway._utils._path import path_template + + +@pytest.mark.parametrize( + "template, kwargs, expected", + [ + ("/v1/{id}", dict(id="abc"), "/v1/abc"), + ("/v1/{a}/{b}", dict(a="x", b="y"), "/v1/x/y"), + ("/v1/{a}{b}/path/{c}?val={d}#{e}", dict(a="x", b="y", c="z", d="u", e="v"), "/v1/xy/path/z?val=u#v"), + ("/{w}/{w}", dict(w="echo"), "/echo/echo"), + ("/v1/static", {}, "/v1/static"), + ("", {}, ""), + ("/v1/?q={n}&count=10", dict(n=42), "/v1/?q=42&count=10"), + ("/v1/{v}", dict(v=None), "/v1/null"), + ("/v1/{v}", dict(v=True), "/v1/true"), + ("/v1/{v}", dict(v=False), "/v1/false"), + ("/v1/{v}", dict(v=".hidden"), "/v1/.hidden"), # dot prefix ok + ("/v1/{v}", dict(v="file.txt"), "/v1/file.txt"), # dot in middle ok + ("/v1/{v}", dict(v="..."), "/v1/..."), # triple dot ok + ("/v1/{a}{b}", dict(a=".", b="txt"), "/v1/.txt"), # dot var combining with adjacent to be ok + ("/items?q={v}#{f}", dict(v=".", f=".."), "/items?q=.#.."), # dots in query/fragment are fine + ( + "/v1/{a}?query={b}", + dict(a="../../other/endpoint", b="a&bad=true"), + "/v1/..%2F..%2Fother%2Fendpoint?query=a%26bad%3Dtrue", + ), + ("/v1/{val}", dict(val="a/b/c"), "/v1/a%2Fb%2Fc"), + ("/v1/{val}", dict(val="a/b/c?query=value"), "/v1/a%2Fb%2Fc%3Fquery=value"), + ("/v1/{val}", dict(val="a/b/c?query=value&bad=true"), "/v1/a%2Fb%2Fc%3Fquery=value&bad=true"), + ("/v1/{val}", dict(val="%20"), "/v1/%2520"), # escapes escape sequences in input + # Query: slash and ? are safe, # is not + ("/items?q={v}", dict(v="a/b"), "/items?q=a/b"), + ("/items?q={v}", dict(v="a?b"), "/items?q=a?b"), + ("/items?q={v}", dict(v="a#b"), "/items?q=a%23b"), + ("/items?q={v}", dict(v="a b"), "/items?q=a%20b"), + # Fragment: slash and ? are safe + ("/docs#{v}", dict(v="a/b"), "/docs#a/b"), + ("/docs#{v}", dict(v="a?b"), "/docs#a?b"), + # Path: slash, ? and # are all encoded + ("/v1/{v}", dict(v="a/b"), "/v1/a%2Fb"), + ("/v1/{v}", dict(v="a?b"), "/v1/a%3Fb"), + ("/v1/{v}", dict(v="a#b"), "/v1/a%23b"), + # same var encoded differently by component + ( + "/v1/{v}?q={v}#{v}", + dict(v="a/b?c#d"), + "/v1/a%2Fb%3Fc%23d?q=a/b?c%23d#a/b?c%23d", + ), + ("/v1/{val}", dict(val="x?admin=true"), "/v1/x%3Fadmin=true"), # query injection + ("/v1/{val}", dict(val="x#admin"), "/v1/x%23admin"), # fragment injection + ], +) +def test_interpolation(template: str, kwargs: dict[str, Any], expected: str) -> None: + assert path_template(template, **kwargs) == expected + + +def test_missing_kwarg_raises_key_error() -> None: + with pytest.raises(KeyError, match="org_id"): + path_template("/v1/{org_id}") + + +@pytest.mark.parametrize( + "template, kwargs", + [ + ("{a}/path", dict(a=".")), + ("{a}/path", dict(a="..")), + ("/v1/{a}", dict(a=".")), + ("/v1/{a}", dict(a="..")), + ("/v1/{a}/path", dict(a=".")), + ("/v1/{a}/path", dict(a="..")), + ("/v1/{a}{b}", dict(a=".", b=".")), # adjacent vars → ".." + ("/v1/{a}.", dict(a=".")), # var + static → ".." + ("/v1/{a}{b}", dict(a="", b=".")), # empty + dot → "." + ("/v1/%2e/{x}", dict(x="ok")), # encoded dot in static text + ("/v1/%2e./{x}", dict(x="ok")), # mixed encoded ".." in static + ("/v1/.%2E/{x}", dict(x="ok")), # mixed encoded ".." in static + ("/v1/{v}?q=1", dict(v="..")), + ("/v1/{v}#frag", dict(v="..")), + ], +) +def test_dot_segment_rejected(template: str, kwargs: dict[str, Any]) -> None: + with pytest.raises(ValueError, match="dot-segment"): + path_template(template, **kwargs) From 9737588d82b10a90ecc22f6c0e9b7918362ff799 Mon Sep 17 00:00:00 2001 From: "stainless-app[bot]" <142633134+stainless-app[bot]@users.noreply.github.com> Date: Fri, 20 Mar 2026 03:11:54 +0000 Subject: [PATCH 2/3] refactor(tests): switch from prism to steady --- CONTRIBUTING.md | 2 +- scripts/mock | 26 +++++++++++++------------- scripts/test | 16 ++++++++-------- 3 files changed, 22 insertions(+), 22 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 2100731..9abb25c 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -85,7 +85,7 @@ $ pip install ./path-to-wheel-file.whl ## Running tests -Most tests require you to [set up a mock server](https://github.com/stoplightio/prism) against the OpenAPI spec to run the tests. +Most tests require you to [set up a mock server](https://github.com/dgellow/steady) against the OpenAPI spec to run the tests. ```sh $ ./scripts/mock diff --git a/scripts/mock b/scripts/mock index bcf3b39..00b490b 100755 --- a/scripts/mock +++ b/scripts/mock @@ -19,34 +19,34 @@ fi echo "==> Starting mock server with URL ${URL}" -# Run prism mock on the given spec +# Run steady mock on the given spec if [ "$1" == "--daemon" ]; then # Pre-install the package so the download doesn't eat into the startup timeout - npm exec --package=@stainless-api/prism-cli@5.15.0 -- prism --version + npm exec --package=@stdy/cli@0.19.3 -- steady --version - npm exec --package=@stainless-api/prism-cli@5.15.0 -- prism mock "$URL" &> .prism.log & + npm exec --package=@stdy/cli@0.19.3 -- steady --host 127.0.0.1 -p 4010 --validator-query-array-format=repeat --validator-query-object-format=brackets "$URL" &> .stdy.log & - # Wait for server to come online (max 30s) + # Wait for server to come online via health endpoint (max 30s) echo -n "Waiting for server" attempts=0 - while ! grep -q "✖ fatal\|Prism is listening" ".prism.log" ; do + while ! curl --silent --fail "http://127.0.0.1:4010/_x-steady/health" >/dev/null 2>&1; do + if ! kill -0 $! 2>/dev/null; then + echo + cat .stdy.log + exit 1 + fi attempts=$((attempts + 1)) if [ "$attempts" -ge 300 ]; then echo - echo "Timed out waiting for Prism server to start" - cat .prism.log + echo "Timed out waiting for Steady server to start" + cat .stdy.log exit 1 fi echo -n "." sleep 0.1 done - if grep -q "✖ fatal" ".prism.log"; then - cat .prism.log - exit 1 - fi - echo else - npm exec --package=@stainless-api/prism-cli@5.15.0 -- prism mock "$URL" + npm exec --package=@stdy/cli@0.19.3 -- steady --host 127.0.0.1 -p 4010 --validator-query-array-format=repeat --validator-query-object-format=brackets "$URL" fi diff --git a/scripts/test b/scripts/test index dbeda2d..d0fe9be 100755 --- a/scripts/test +++ b/scripts/test @@ -9,8 +9,8 @@ GREEN='\033[0;32m' YELLOW='\033[0;33m' NC='\033[0m' # No Color -function prism_is_running() { - curl --silent "http://localhost:4010" >/dev/null 2>&1 +function steady_is_running() { + curl --silent "http://127.0.0.1:4010/_x-steady/health" >/dev/null 2>&1 } kill_server_on_port() { @@ -25,7 +25,7 @@ function is_overriding_api_base_url() { [ -n "$TEST_API_BASE_URL" ] } -if ! is_overriding_api_base_url && ! prism_is_running ; then +if ! is_overriding_api_base_url && ! steady_is_running ; then # When we exit this script, make sure to kill the background mock server process trap 'kill_server_on_port 4010' EXIT @@ -36,19 +36,19 @@ fi if is_overriding_api_base_url ; then echo -e "${GREEN}✔ Running tests against ${TEST_API_BASE_URL}${NC}" echo -elif ! prism_is_running ; then - echo -e "${RED}ERROR:${NC} The test suite will not run without a mock Prism server" +elif ! steady_is_running ; then + echo -e "${RED}ERROR:${NC} The test suite will not run without a mock Steady server" echo -e "running against your OpenAPI spec." echo echo -e "To run the server, pass in the path or url of your OpenAPI" - echo -e "spec to the prism command:" + echo -e "spec to the steady command:" echo - echo -e " \$ ${YELLOW}npm exec --package=@stainless-api/prism-cli@5.15.0 -- prism mock path/to/your.openapi.yml${NC}" + echo -e " \$ ${YELLOW}npm exec --package=@stdy/cli@0.19.3 -- steady path/to/your.openapi.yml --host 127.0.0.1 -p 4010 --validator-query-array-format=repeat --validator-query-object-format=brackets${NC}" echo exit 1 else - echo -e "${GREEN}✔ Mock prism server is running with your OpenAPI spec${NC}" + echo -e "${GREEN}✔ Mock steady server is running with your OpenAPI spec${NC}" echo fi From 4eaf9d20c6de145cc7d8af69cc287d5936021097 Mon Sep 17 00:00:00 2001 From: "stainless-app[bot]" <142633134+stainless-app[bot]@users.noreply.github.com> Date: Fri, 20 Mar 2026 03:12:11 +0000 Subject: [PATCH 3/3] release: 1.22.2 --- .release-please-manifest.json | 2 +- CHANGELOG.md | 13 +++++++++++++ pyproject.toml | 2 +- src/onebusaway/_version.py | 2 +- 4 files changed, 16 insertions(+), 3 deletions(-) diff --git a/.release-please-manifest.json b/.release-please-manifest.json index efc2d51..f6c1863 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -1,3 +1,3 @@ { - ".": "1.22.1" + ".": "1.22.2" } \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index 9ab862c..3ef4800 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,18 @@ # Changelog +## 1.22.2 (2026-03-20) + +Full Changelog: [v1.22.1...v1.22.2](https://github.com/OneBusAway/python-sdk/compare/v1.22.1...v1.22.2) + +### Bug Fixes + +* sanitize endpoint path params ([3d04ad1](https://github.com/OneBusAway/python-sdk/commit/3d04ad1d05edb09c8eac32fc6a0752fadf20a04e)) + + +### Refactors + +* **tests:** switch from prism to steady ([9737588](https://github.com/OneBusAway/python-sdk/commit/9737588d82b10a90ecc22f6c0e9b7918362ff799)) + ## 1.22.1 (2026-03-17) Full Changelog: [v1.22.0...v1.22.1](https://github.com/OneBusAway/python-sdk/compare/v1.22.0...v1.22.1) diff --git a/pyproject.toml b/pyproject.toml index 10c2fe6..fe99a7e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "onebusaway" -version = "1.22.1" +version = "1.22.2" description = "The official Python library for the onebusaway-sdk API" dynamic = ["readme"] license = "Apache-2.0" diff --git a/src/onebusaway/_version.py b/src/onebusaway/_version.py index bb45419..d7dc3fd 100644 --- a/src/onebusaway/_version.py +++ b/src/onebusaway/_version.py @@ -1,4 +1,4 @@ # File generated from our OpenAPI spec by Stainless. See CONTRIBUTING.md for details. __title__ = "onebusaway" -__version__ = "1.22.1" # x-release-please-version +__version__ = "1.22.2" # x-release-please-version