sanitize bbox parameter (#266)

pygeoapi/api.py

@@ -467,6 +467,15 @@ class API(object):
                 return headers_, 400, json.dumps(exception)
         except AttributeError:
             bbox = []
+        try:
+            [float(c) for c in bbox]
+        except ValueError:
+            exception = {
+                'code': 'InvalidParameterValue',
+                'description': 'bbox values must be numbers'
+            }
+            LOGGER.error(exception)
+            return headers_, 400, json.dumps(exception)
 
         LOGGER.debug('Processing datetime parameter')
         # TODO: pass datetime to query as a `datetime` object

tests/test_api.py

@@ -197,6 +197,11 @@ def test_get_features(config, api_):
 
     assert code == 400
 
+    rsp_headers, code, response = api_.get_features(
+        req_headers, {'bbox': '1,2,3,4c'}, 'obs')
+
+    assert code == 400
+
     rsp_headers, code, response = api_.get_features(
         req_headers, {'f': 'html'}, 'obs')
     assert rsp_headers['Content-Type'] == 'text/html'