fix(backend): post-review fixes sprint 2

- test_simulations_patch: remove false dict return annotation on _patch helper - simulation_workflow: validate executed_at upfront before any setattr (prevents partial mutation on bad payload) - api/simulations: remove unreachable role check in update_simulation (all valid roles are admin/redteam/soc) - Dockerfile: remove redundant COPY backend/data/ (already covered by COPY backend/) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-26 11:21:32 +02:00
parent 765bb5a1a4
commit 83bf60fb30
4 changed files with 40 additions and 18 deletions
--- a/backend/app/api/simulations.py
+++ b/backend/app/api/simulations.py
@@ -80,9 +80,6 @@ def update_simulation(sid: int):
        return jsonify({"error": "Simulation not found"}), 404

    user = g.current_user
-    if user.role.value not in ("admin", "redteam", "soc"):
-        return jsonify({"error": "Forbidden"}), 403
-
    data = request.get_json(silent=True) or {}
    if not data:
        return jsonify(serialize_simulation(sim)), 200
--- a/backend/app/services/simulation_workflow.py
+++ b/backend/app/services/simulation_workflow.py
@@ -79,18 +79,21 @@ def apply_patch(
        # admin / redteam: apply all fields present.
        redteam_keys_present = REDTEAM_FIELDS & payload.keys()

-        for field in redteam_keys_present:
-            if field == "executed_at":
+        # Validate executed_at before any writes so a bad value causes no partial mutation.
+        executed_at_value: datetime | None = None
+        if "executed_at" in redteam_keys_present:
            val = payload["executed_at"]
-                if val is None:
-                    simulation.executed_at = None
-                else:
+            if val is not None:
                if not isinstance(val, str):
                    return jsonify({"error": "invalid executed_at"}), 400
                try:
-                        simulation.executed_at = datetime.fromisoformat(val)
+                    executed_at_value = datetime.fromisoformat(val)
                except ValueError:
                    return jsonify({"error": "invalid executed_at"}), 400
+
+        for field in redteam_keys_present:
+            if field == "executed_at":
+                simulation.executed_at = executed_at_value
            else:
                setattr(simulation, field, payload[field])

--- a/backend/tests/test_simulations_patch.py
+++ b/backend/tests/test_simulations_patch.py
@@ -26,11 +26,10 @@ def _make_sim(client: FlaskClient, token: str, eid: int) -> dict:
    return resp.get_json()


-def _patch(client: FlaskClient, token: str, sid: int, payload: dict) -> dict:
-    resp = client.patch(
+def _patch(client: FlaskClient, token: str, sid: int, payload: dict):
+    return client.patch(
        f"/api/simulations/{sid}", headers=_h(token), json=payload
    )
-    return resp


 # ---------------------------------------------------------------------------
@@ -232,7 +231,7 @@ def test_soc_can_patch_when_review_required(


 def test_soc_can_patch_when_done(
-    client: FlaskClient, redteam_token: str, soc_token: str, admin_token: str
+    client: FlaskClient, redteam_token: str, soc_token: str
 ) -> None:
    eng = _make_engagement(client, redteam_token)
    sim = _make_sim(client, redteam_token, eng["id"])
@@ -270,3 +269,27 @@ def test_soc_cannot_edit_redteam_fields(
 def test_patch_simulation_404(client: FlaskClient, redteam_token: str) -> None:
    resp = _patch(client, redteam_token, 9999, {"name": "x"})
    assert resp.status_code == 404
+
+
+def test_invalid_executed_at_does_not_mutate_other_fields(
+    client: FlaskClient, redteam_token: str
+) -> None:
+    """invalid executed_at must return 400 without persisting other fields in the payload."""
+    eng = _make_engagement(client, redteam_token)
+    sim = _make_sim(client, redteam_token, eng["id"])
+    original_description = sim["description"]
+
+    resp = _patch(
+        client,
+        redteam_token,
+        sim["id"],
+        {"description": "should-not-stick", "executed_at": "not-a-date"},
+    )
+    assert resp.status_code == 400
+
+    get_resp = client.get(
+        f"/api/simulations/{sim['id']}",
+        headers={"Authorization": f"Bearer {redteam_token}"},
+    )
+    assert get_resp.status_code == 200
+    assert get_resp.get_json()["description"] == original_description
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -12,7 +12,6 @@ WORKDIR /app
 COPY backend/requirements.txt ./backend/
 RUN pip install --no-cache-dir -r backend/requirements.txt
 COPY backend/ ./backend/
-COPY backend/data/ ./backend/data/
 COPY --from=frontend-build /app/frontend/dist ./backend/app/static

 ENV FLASK_APP=backend.app:create_app