add defensive checks against data being funny

2025-01-13 17:16:39 -08:00 · 2025-01-13 17:16:39 -08:00 · 2d20c40641
commit 2d20c40641
parent 1e7a37bcf9
2 changed files with 27 additions and 2 deletions
--- a/reflex/app.py
+++ b/reflex/app.py
@ -1563,10 +1563,31 @@ class EventNamespace(AsyncNamespace):
        Args:
            sid: The Socket.IO session id.
            data: The event data.
+
+        Raises:
+            EventDeserializationError: If the event data is not a dictionary.
        """
        fields = data
-        # Get the event.
-        event = Event(**{k: v for k, v in fields.items() if k in _EVENT_FIELDS})
+
+        if isinstance(fields, str):
+            fields = json.loads(fields)
+            console.warn(
+                "Received event data as a string. This generally should not happen and may indicate a bug."
+                f" Event data: {fields}"
+            )
+
+        if not isinstance(fields, dict):
+            raise exceptions.EventDeserializationError(
+                f"Event data must be a dictionary, but received {fields} of type {type(fields)}."
+            )
+
+        try:
+            # Get the event.
+            event = Event(**{k: v for k, v in fields.items() if k in _EVENT_FIELDS})
+        except (TypeError, ValueError) as ex:
+            raise exceptions.EventDeserializationError(
+                f"Failed to deserialize event data: {fields}."
+            ) from ex

        self.token_to_sid[event.token] = sid
        self.sid_to_token[sid] = event.token
--- a/reflex/utils/exceptions.py
+++ b/reflex/utils/exceptions.py
@ -167,6 +167,10 @@ class SystemPackageMissingError(ReflexError):
    """Raised when a system package is missing."""


+class EventDeserializationError(ReflexError, ValueError):
+    """Raised when an event cannot be deserialized."""
+
+
 def raise_system_package_missing_error(package: str) -> NoReturn:
    """Raise a SystemPackageMissingError.