Prevent unintended access to sensitive fields (passwords, private keys) (#876)
Make sure that fields specified in filter, sortBy, etc. are model fields and may be accessed. This is fixes a potential security issue. The filter() function allowed guessing the content of password hashes one character at a time. The sort() function allowed the user to call an arbitrary method of an arbitrary model attribute, for example sortBy=id&sortDir=distinct would produce an unexpected error.
This commit is contained in:
Marti Raudsepp
kevgliss
@ -1,15 +1,14 @@
|
||||
from __future__ import unicode_literals # at top of module
|
||||
from __future__ import unicode_literals # at top of module
|
||||
|
||||
import json
|
||||
import pytest
|
||||
import datetime
|
||||
import arrow
|
||||
import json
|
||||
|
||||
from freezegun import freeze_time
|
||||
import arrow
|
||||
import pytest
|
||||
from cryptography import x509
|
||||
from freezegun import freeze_time
|
||||
|
||||
from lemur.certificates.views import * # noqa
|
||||
|
||||
from lemur.tests.vectors import VALID_ADMIN_HEADER_TOKEN, VALID_USER_HEADER_TOKEN, CSR_STR, \
|
||||
INTERNAL_VALID_LONG_STR, INTERNAL_VALID_SAN_STR, PRIVATE_KEY_STR
|
||||
|
||||
@ -535,3 +534,8 @@ def test_certificates_upload_delete(client, token, status):
|
||||
])
|
||||
def test_certificates_upload_patch(client, token, status):
|
||||
assert client.patch(api.url_for(CertificatesUpload), data={}, headers=token).status_code == status
|
||||
|
||||
|
||||
def test_sensitive_sort(client):
|
||||
resp = client.get(api.url_for(CertificatesList) + '?sortBy=private_key&sortDir=asc', headers=VALID_ADMIN_HEADER_TOKEN)
|
||||
assert "'private_key' is not sortable or filterable" in resp.json['message']
|
||||
|
||||
@ -1,10 +1,9 @@
|
||||
import json
|
||||
|
||||
import pytest
|
||||
|
||||
from lemur.roles.views import * # noqa
|
||||
from lemur.tests.factories import RoleFactory, AuthorityFactory, CertificateFactory, UserFactory
|
||||
|
||||
|
||||
from .vectors import VALID_ADMIN_HEADER_TOKEN, VALID_USER_HEADER_TOKEN
|
||||
|
||||
|
||||
@ -165,3 +164,8 @@ def test_role_list_delete(client, token, status):
|
||||
])
|
||||
def test_role_list_patch(client, token, status):
|
||||
assert client.patch(api.url_for(RolesList), data={}, headers=token).status_code == status
|
||||
|
||||
|
||||
def test_sensitive_filter(client):
|
||||
resp = client.get(api.url_for(RolesList) + '?filter=password;a', headers=VALID_ADMIN_HEADER_TOKEN)
|
||||
assert "'password' is not sortable or filterable" in resp.json['message']
|
||||
|
||||
@ -1,8 +1,6 @@
|
||||
import pytest
|
||||
|
||||
from lemur.users.views import * # noqa
|
||||
|
||||
|
||||
from .vectors import VALID_ADMIN_HEADER_TOKEN, VALID_USER_HEADER_TOKEN
|
||||
|
||||
|
||||
@ -99,3 +97,13 @@ def test_user_list_delete(client, token, status):
|
||||
])
|
||||
def test_user_list_patch(client, token, status):
|
||||
assert client.patch(api.url_for(UsersList), data={}, headers=token).status_code == status
|
||||
|
||||
|
||||
def test_sensitive_filter(client):
|
||||
resp = client.get(api.url_for(UsersList) + '?filter=password;a', headers=VALID_ADMIN_HEADER_TOKEN)
|
||||
assert "'password' is not sortable or filterable" in resp.json['message']
|
||||
|
||||
|
||||
def test_sensitive_sort(client):
|
||||
resp = client.get(api.url_for(UsersList) + '?sortBy=password&sortDir=asc', headers=VALID_ADMIN_HEADER_TOKEN)
|
||||
assert "'password' is not sortable or filterable" in resp.json['message']
|
||||
|
||||
Reference in New Issue
Block a user