Skip to content

fix(providers): harden easyRadiology portal flow against malformed responses#155

Merged
Liohtml merged 1 commit into
mainfrom
claude/dependabot-prs-q6u94z
Jul 10, 2026
Merged

fix(providers): harden easyRadiology portal flow against malformed responses#155
Liohtml merged 1 commit into
mainfrom
claude/dependabot-prs-q6u94z

Conversation

@Liohtml

@Liohtml Liohtml commented Jul 10, 2026

Copy link
Copy Markdown
Owner

Summary

The portal orchestration (fetch_check_view_code_get_viewer_model) assumed a well-formed response at every step: a non-JSON body, missing keys (encryptedAccessKey, Salt, linkToERI), or an empty exams list crashed with opaque tracebacks. _decrypt_aes_cbc crashed with IndexError on empty ciphertext and an opaque pycryptodome block-size error on truncated input. The whole network flow had zero test coverage.

Fixes #139

Changes

  • src/medcheck/providers/easyradiology.py:
    • _decrypt_aes_cbc: validates ciphertext is a positive multiple of 16 up front — in this unauthenticated, server-dictated CBC protocol the manual PKCS7 check is the only integrity signal, so it must be robust against malformed input
    • protocol-shape mismatches raise a provider-level RuntimeError naming the failing step ("… The portal API may have changed.") via a shared _unexpected_response helper
    • undecryptable access keys raise a distinct ValueError hinting the access code may be wrong or the link expired (a padding failure usually means wrong code, not protocol change)
    • fetch validates the access code is present and the viewer model contains a linkToERI
  • tests/unit/test_providers/test_easyradiology.py: 13 new tests with mocked httpx — non-JSON bodies, empty/missing exams, malformed exam entries, garbage ciphertext, error flags, missing download link, missing access code, empty/partial-block ciphertext

Testing

  • Existing tests pass (uv run pytest) — 197 passed
  • New tests added for new functionality — 13 new provider tests; module coverage 72% → 92%
  • Coverage does not decrease (uv run pytest --cov-fail-under=85) — total 90.18% (was 88.3%)
  • Linting passes (uv run ruff check .)
  • Type checking passes (uv run mypy src/medcheck --strict)
  • Security scan passes (uv run bandit -r src/medcheck -ll -q)
  • Pre-commit hooks pass — ruff hooks pass locally; full pre-commit not run

Additional Notes

No protocol behavior changes — request shapes, scrypt/AES parameters, SSRF allowlist, and download caps are untouched; only response validation and error quality changed.

🤖 Generated with Claude Code

https://claude.ai/code/session_01W4svt5QTs4WUMSy4HwiVt9


Generated by Claude Code

…sponses

The portal orchestration (fetch/_check_view_code/_get_viewer_model)
assumed a well-formed response at every step: a non-JSON body, missing
keys, or an empty exams list crashed with opaque tracebacks, and
_decrypt_aes_cbc crashed with IndexError on empty ciphertext or an
opaque block-size error on truncated input. Now:

- _decrypt_aes_cbc validates ciphertext length up front (the manual
  PKCS7 check is the only integrity signal in this unauthenticated
  server-dictated CBC protocol, so it must be robust)
- protocol-shape mismatches raise a provider-level RuntimeError naming
  the step ('the portal API may have changed')
- undecryptable access keys raise a distinct hint that the access code
  may be wrong or the link expired
- fetch validates the presence of the access code and download link

Adds 13 tests covering the previously untested network orchestration
with mocked httpx (module coverage 72% -> 92%).

Fixes #139

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01W4svt5QTs4WUMSy4HwiVt9
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@Liohtml, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 21 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 9584eaa3-1389-4ab5-9e0e-4d1d038d593f

📥 Commits

Reviewing files that changed from the base of the PR and between 9734eca and fc4a539.

📒 Files selected for processing (2)
  • src/medcheck/providers/easyradiology.py
  • tests/unit/test_providers/test_easyradiology.py
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/dependabot-prs-q6u94z

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov

codecov Bot commented Jul 10, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 87.17949% with 5 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
src/medcheck/providers/easyradiology.py 87.17% 2 Missing and 3 partials ⚠️

📢 Thoughts on this report? Let us know!

@Liohtml Liohtml merged commit f0357f1 into main Jul 10, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

2 participants