dev: fix api security error (#4072)

2024-06-14 14:31:34 +00:00 · 2024-03-26 20:38:25 +05:30 · 2024-03-26 20:38:25 +05:30 · 30cee78170
commit 30cee78170
parent 4c46b075b4
1 changed files with 16 additions and 15 deletions
--- a/apiserver/plane/api/serializers/issue.py
+++ b/apiserver/plane/api/serializers/issue.py
@ -1,32 +1,33 @@
-from lxml import html
+from django.core.exceptions import ValidationError
+from django.core.validators import URLValidator

 # Django imports
 from django.utils import timezone
-from django.core.validators import URLValidator
-from django.core.exceptions import ValidationError
+from lxml import html

 #  Third party imports
 from rest_framework import serializers

 # Module imports
 from plane.db.models import (
-    User,
    Issue,
-    State,
+    IssueActivity,
    IssueAssignee,
-    Label,
+    IssueAttachment,
+    IssueComment,
    IssueLabel,
    IssueLink,
-    IssueComment,
-    IssueAttachment,
-    IssueActivity,
+    Label,
    ProjectMember,
+    State,
+    User,
 )
+
 from .base import BaseSerializer
-from .cycle import CycleSerializer, CycleLiteSerializer
-from .module import ModuleSerializer, ModuleLiteSerializer
-from .user import UserLiteSerializer
+from .cycle import CycleLiteSerializer, CycleSerializer
+from .module import ModuleLiteSerializer, ModuleSerializer
 from .state import StateLiteSerializer
+from .user import UserLiteSerializer


 class IssueSerializer(BaseSerializer):
@ -79,7 +80,7 @@ class IssueSerializer(BaseSerializer):
                data["description_html"] = parsed_str

        except Exception as e:
-            raise serializers.ValidationError(f"Invalid HTML: {str(e)}")
+            raise serializers.ValidationError("Invalid HTML passed")

        # Validate assignees are from project
        if data.get("assignees", []):
@ -294,7 +295,7 @@ class IssueLinkSerializer(BaseSerializer):
            raise serializers.ValidationError("Invalid URL format.")

        # Check URL scheme
-        if not value.startswith(('http://', 'https://')):
+        if not value.startswith(("http://", "https://")):
            raise serializers.ValidationError("Invalid URL scheme.")

        return value
@ -366,7 +367,7 @@ class IssueCommentSerializer(BaseSerializer):
                data["comment_html"] = parsed_str

        except Exception as e:
-            raise serializers.ValidationError(f"Invalid HTML: {str(e)}")
+            raise serializers.ValidationError("Invalid HTML passed")
        return data