restrict API filtering on oauth-related fields

related: https://github.com/ansible/awx/issues/1354
2026-03-06 11:11:07 -03:30 · 2018-03-12 09:12:40 -04:00
parent dcab97f94f
commit a61187e132
2 changed files with 12 additions and 6 deletions
--- a/awx/api/filters.py
+++ b/awx/api/filters.py
@@ -131,6 +131,8 @@ class FieldLookupBackend(BaseFilterBackend):
                    new_parts.append(name_alt)
                else:
                    field = model._meta.get_field(name)
+                if 'auth' in name or 'token' in name:
+                    raise PermissionDenied(_('Filtering on %s is not allowed.' % name))
                if isinstance(field, ForeignObjectRel) and getattr(field.field, '__prevent_search__', False):
                    raise PermissionDenied(_('Filtering on %s is not allowed.' % name))
                elif getattr(field, '__prevent_search__', False):
--- a/awx/main/tests/unit/api/test_filters.py
+++ b/awx/main/tests/unit/api/test_filters.py
@@ -4,11 +4,11 @@ import pytest

 from rest_framework.exceptions import PermissionDenied, ParseError
 from awx.api.filters import FieldLookupBackend
-from awx.main.models import (AdHocCommand, CustomInventoryScript,
-                             Credential, Job, JobTemplate, SystemJob,
-                             UnifiedJob, User, WorkflowJob,
-                             WorkflowJobTemplate, WorkflowJobOptions,
-                             InventorySource)
+from awx.main.models import (AdHocCommand, ActivityStream,
+                             CustomInventoryScript, Credential, Job,
+                             JobTemplate, SystemJob, UnifiedJob, User,
+                             WorkflowJob, WorkflowJobTemplate,
+                             WorkflowJobOptions, InventorySource)
 from awx.main.models.jobs import JobOptions


@@ -56,6 +56,8 @@ def test_filter_on_password_field(password_field, lookup_suffix):
@pytest.mark.parametrize('model, query', [
    (User, 'password__icontains'),
    (User, 'settings__value__icontains'),
+    (User, 'main_oauth2accesstoken__token__gt'),
+    (User, 'main_oauth2application__name__gt'),
    (UnifiedJob, 'job_args__icontains'),
    (UnifiedJob, 'job_env__icontains'),
    (UnifiedJob, 'start_args__icontains'),
@@ -67,7 +69,9 @@ def test_filter_on_password_field(password_field, lookup_suffix):
    (WorkflowJob, 'survey_passwords__icontains'),
    (JobTemplate, 'survey_spec__icontains'),
    (WorkflowJobTemplate, 'survey_spec__icontains'),
-    (CustomInventoryScript, 'script__icontains')
+    (CustomInventoryScript, 'script__icontains'),
+    (ActivityStream, 'o_auth2_access_token__gt'),
+    (ActivityStream, 'o_auth2_application__gt')
 ])
 def test_filter_sensitive_fields_and_relations(model, query):
    field_lookup = FieldLookupBackend()