From 6ba81b7c38782b7ac6ede3823d2bba3989bb7bb9 Mon Sep 17 00:00:00 2001
From: Chris Lenk <clenk@mitre.org>
Date: Wed, 31 Aug 2022 14:45:22 -0400
Subject: [PATCH] Raise 400 error on duplicate filter parameters

To pass the use case test in Section 3.13.1.10 of the TAXII 2.1
Interoperability Specification.
---
 medallion/__init__.py           | 9 ++++++++-
 medallion/test/test_backends.py | 8 ++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/medallion/__init__.py b/medallion/__init__.py
index 6528379..49141ec 100644
--- a/medallion/__init__.py
+++ b/medallion/__init__.py
@@ -2,7 +2,7 @@
 import logging
 import warnings
 
-from flask import Response, current_app, json
+from flask import Response, current_app, json, request
 from flask_httpauth import HTTPBasicAuth
 
 from .backends import base as mbe_base
@@ -156,3 +156,10 @@ def handle_backend_error(error):
         status=error.status,
         mimetype=MEDIA_TYPE_TAXII_V21,
     )
+
+
+@APPLICATION_INSTANCE.before_request
+def validate_match_parameters():
+    for key, val in request.values.lists():
+        if len(val) > 1:
+            raise ProcessingError("The server can not process duplicate request or filter parameters", 400)
diff --git a/medallion/test/test_backends.py b/medallion/test/test_backends.py
index 5353547..0a8e978 100644
--- a/medallion/test/test_backends.py
+++ b/medallion/test/test_backends.py
@@ -1335,6 +1335,14 @@ def test_object_pagination_changing_params_400(backend):
     assert objs["title"] == "ProcessingError"
 
 
+def test_object_duplicate_match_filter_400(backend):
+    r = backend.client.get(
+            test.GET_OBJECTS_EP + "?match[type]=campaign&match[type]=malware",
+            headers=backend.headers
+    )
+    assert r.status_code == 400
+
+
 # test other config values
 # this may warrant some cleanup and organization later
 class TestTAXIIWithNoConfig(TaxiiTest):