UUIDField not being validated for retrieval

[diogobaeder]

Checklist

• I have verified that that issue exists against the master branch of Django REST framework.
• I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
• This is not a usage question. (Those should be directed to the discussion group instead.)
• This cannot be dealt with as a third party library. (We prefer new functionality to be in the form of third party libraries where possible.)
• I have reduced the issue to the simplest possible case.
• I have included a failing test as a pull request. (If you are unable to do so we can still accept the issue.)

Steps to reproduce

Hi,

I'm a newcomer to DRF, and an issue I'm having is that I'm using Django's UUIDField in some models and using them as the lookup_fields in my serializers. They work fine when I send a request with a correctly-formatted UUID, but DRF simply fails with a server error if the request sends an invalid string (such as "invalid") - instead of responding with HTTP 400 or 404, which was what I would expect. I tried debugging the code a bit, and it doesn't seem to be validated anywhere when calling retrieve() from the RetrieveModelMixin. Then I receive a django.core.exceptions.ValidationError which is bubbled up until the application layer, instead of being handled by DRF gracefully, since it's a case of user error and not application error.

I believe this is a bug, but, if it's not and if it's up to the developers to code the validation themselves, please let me know.

So the steps to reproduce are pretty simple:

1. Add a UUIDField to a model
2. Define a serializer for this model
3. Define the uuid field as the lookup field
4. Send a test request to the detail view but passing "invalid" as the uuid

Expected behavior

Either an HTTP 400 or 404 response

Actual behavior

The application fails and lets the low-level validation error bubble up, responding with an HTTP 500 response to the client

[xordoquy]

My feeling here is the url regex is left too permissive to allow invalid uuid.
This being said, I'm not closing the issue here as an correctly formatted uuid yet invalid could lead to the same result.
Any chance we can get a test case to demonstrate the issue ?

[jleclanche]

I can confirm the issue, for different reasons. In Django 1.11, UUIDField's to_python has changed and now throws a django.core.exceptions.ValidationError:

    def to_python(self, value):
        if value is not None and not isinstance(value, uuid.UUID):
            try:
                return uuid.UUID(value)
            except (AttributeError, ValueError):
                raise exceptions.ValidationError(
                    self.error_messages['invalid'],
                    code='invalid',
>                   params={'value': value},
                )
E               django.core.exceptions.ValidationError: ["'nope' is not a valid UUID."]

../../env/lib/python3.4/site-packages/django/db/models/fields/__init__.py:2401: ValidationError

[tomchristie]

Should be resolved in 3.6.3 - #5126

[tomchristie]

Ah right, that'd fix the view-lookup, but not the serializer fields, I think?
Equivalent fix also needed there, presumably?

[carltongibson]

I'm going to de-milestone this for now.

I think (?) as reported this was solved by #5126. But the same issue should come up in related fields. e.g. ...

django-rest-framework/rest_framework/relations.py

Lines 246 to 253 in d8da6bb

	def to_internal_value(self, data):
	if self.pk_field is not None:
	data = self.pk_field.to_internal_value(data)
	try:
	return self.get_queryset().get(pk=data)
	except ObjectDoesNotExist:
	self.fail('does_not_exist', pk_value=data)
	except (TypeError, ValueError):

This should be an easy enough fix. It's just putting together the right test cases. Happy to see a PR for that!

[diogobaeder]

Thanks for the help so far, guys :-)