External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-20 10:27:34 -02:30
Code Issues Packages Projects Releases Wiki Activity

Prevent filtering on password fields.

Browse Source
This commit is contained in:
Chris Church
2016-10-03 16:15:06 -04:00
parent 3dc07859bc
commit 9fc30643ca
2 changed files with 25 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
awx/api/filters.py
View File

@@ -14,7 +14,7 @@ from django.contrib.contenttypes.models import ContentType
from django.utils.encoding import force_text from django.utils.encoding import force_text
# Django REST Framework # Django REST Framework
from rest_framework.exceptions import ParseError from rest_framework.exceptions import ParseError, PermissionDenied
from rest_framework.filters import BaseFilterBackend from rest_framework.filters import BaseFilterBackend
# Ansible Tower # Ansible Tower
@@ -97,7 +97,10 @@ class FieldLookupBackend(BaseFilterBackend):
new_parts.append(name) new_parts.append(name)
if name == 'pk':
if name in getattr(model, 'PASSWORD_FIELDS', ()):
raise PermissionDenied('Filtering on password fields is not allowed.')
elif name == 'pk':
field = model._meta.pk field = model._meta.pk
else: else:
field = model._meta.get_field_by_name(name)[0] field = model._meta.get_field_by_name(name)[0]

21
awx/main/tests/unit/api/test_filters.py
View File

@@ -1,7 +1,8 @@
import pytest import pytest
from rest_framework.exceptions import PermissionDenied
from awx.api.filters import FieldLookupBackend from awx.api.filters import FieldLookupBackend
from awx.main.models import JobTemplate from awx.main.models import Credential, JobTemplate
@pytest.mark.parametrize(u"empty_value", [u'', '']) @pytest.mark.parametrize(u"empty_value", [u'', ''])
def test_empty_in(empty_value): def test_empty_in(empty_value):
@@ -15,3 +16,21 @@ def test_valid_in(valid_value):
field_lookup = FieldLookupBackend() field_lookup = FieldLookupBackend()
value, new_lookup = field_lookup.value_to_python(JobTemplate, 'project__in', valid_value) value, new_lookup = field_lookup.value_to_python(JobTemplate, 'project__in', valid_value)
assert 'foo' in value assert 'foo' in value
@pytest.mark.parametrize('lookup_suffix', ['', 'contains', 'startswith', 'in'])
@pytest.mark.parametrize('password_field', Credential.PASSWORD_FIELDS)
def test_filter_on_password_field(password_field, lookup_suffix):
field_lookup = FieldLookupBackend()
lookup = '__'.join(filter(None, [password_field, lookup_suffix]))
with pytest.raises(PermissionDenied) as excinfo:
field, new_lookup = field_lookup.get_field_from_lookup(Credential, lookup)
assert 'not allowed' in str(excinfo.value)
@pytest.mark.parametrize('lookup_suffix', ['', 'contains', 'startswith', 'in'])
@pytest.mark.parametrize('password_field', Credential.PASSWORD_FIELDS)
def test_filter_on_related_password_field(password_field, lookup_suffix):
field_lookup = FieldLookupBackend()
lookup = '__'.join(filter(None, ['credential', password_field, lookup_suffix]))
with pytest.raises(PermissionDenied) as excinfo:
field, new_lookup = field_lookup.get_field_from_lookup(JobTemplate, lookup)
assert 'not allowed' in str(excinfo.value)