Unhandled exception on invalid filter value for relationship

[mahenzon]

Here's a vulnerable place:

combojsonapi/combojsonapi/utils/marshmallow_fields.py

Line 56 in 91dcbf5

if value and "links" in value:

For example you have a schema

class UserSchema(Schema):
    class Meta:
        model = User
        type_ = "user"
        self_view = "user_detail"
        self_view_kwargs = {"id": "<id>"}
        self_view_many = "user_list"
        ordered = True

    group = Relationship(
        nested="GroupSchema",
        attribute="_relationship_group_id_",
        related_view="group_detail",
        related_view_kwargs={"id": "<group_id>"},
        schema="GroupSchema",
        type_="group",
    )

And try to filter it using invalid filter:

[
  {
    "name": "group",
    "op": "eq",
    "val": 42
  }
]

It raises this:

  File "/.../src/combojsonapi/combojsonapi/utils/marshmallow_fields.py", line 56, in deserialize
    if value and "links" in value:
TypeError: argument of type 'int' is not iterable

And a valid shorthand for it (which works well) is

[
  {
    "name": "group.id",
    "op": "eq",
    "val": 42
  }
]

I think that this variant has to be working too, but it makes invalid filtering -- returns objects, that should not be here

https://flask-rest-jsonapi.readthedocs.io/en/latest/filtering.html#

[
  {
    "name": "group",
    "op": "any",
    "val": {
      "name": "id",
      "op": "eq",
      "val": 42
    }
  }
]

I think that we have to add proper checks for data and raise InvalidFilters