From e6e637beaed05dce186266d07e47f4fba5f8a5c4 Mon Sep 17 00:00:00 2001
From: Tom Kralidis <tomkralidis@gmail.com>
Date: Wed, 2 Oct 2019 19:11:47 +0000
Subject: [PATCH] sanitize bbox parameter (#266)

---
 pygeoapi/api.py   | 9 +++++++++
 tests/test_api.py | 5 +++++
 2 files changed, 14 insertions(+)

diff --git a/pygeoapi/api.py b/pygeoapi/api.py
index 64eacfa..9f67795 100644
--- a/pygeoapi/api.py
+++ b/pygeoapi/api.py
@@ -467,6 +467,15 @@ class API(object):
                 return headers_, 400, json.dumps(exception)
         except AttributeError:
             bbox = []
+        try:
+            [float(c) for c in bbox]
+        except ValueError:
+            exception = {
+                'code': 'InvalidParameterValue',
+                'description': 'bbox values must be numbers'
+            }
+            LOGGER.error(exception)
+            return headers_, 400, json.dumps(exception)
 
         LOGGER.debug('Processing datetime parameter')
         # TODO: pass datetime to query as a `datetime` object
diff --git a/tests/test_api.py b/tests/test_api.py
index f42d090..d1f3fb2 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -197,6 +197,11 @@ def test_get_features(config, api_):
 
     assert code == 400
 
+    rsp_headers, code, response = api_.get_features(
+        req_headers, {'bbox': '1,2,3,4c'}, 'obs')
+
+    assert code == 400
+
     rsp_headers, code, response = api_.get_features(
         req_headers, {'f': 'html'}, 'obs')
     assert rsp_headers['Content-Type'] == 'text/html'