thunderstrike/plane
thunderstrike/plane
2
0
Fork 0
forked from github/plane
Code Pull Requests Activity

dev: fix api security error (#4072)

Browse Source
This commit is contained in:
Nikhil 2024-03-26 20:38:25 +05:30 committed by GitHub
parent 4c46b075b4
commit 30cee78170
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 16 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
apiserver/plane/api/serializers/issue.py
View File

@ -1,32 +1,33 @@
from lxml import html from django.core.exceptions import ValidationError
from django.core.validators import URLValidator
# Django imports # Django imports
from django.utils import timezone from django.utils import timezone
from django.core.validators import URLValidator from lxml import html
from django.core.exceptions import ValidationError
# Third party imports # Third party imports
from rest_framework import serializers from rest_framework import serializers
# Module imports # Module imports
from plane.db.models import ( from plane.db.models import (
User,
Issue, Issue,
State, IssueActivity,
IssueAssignee, IssueAssignee,
Label, IssueAttachment,
IssueComment,
IssueLabel, IssueLabel,
IssueLink, IssueLink,
IssueComment, Label,
IssueAttachment,
IssueActivity,
ProjectMember, ProjectMember,
State,
User,
) )
from .base import BaseSerializer from .base import BaseSerializer
from .cycle import CycleSerializer, CycleLiteSerializer from .cycle import CycleLiteSerializer, CycleSerializer
from .module import ModuleSerializer, ModuleLiteSerializer from .module import ModuleLiteSerializer, ModuleSerializer
from .user import UserLiteSerializer
from .state import StateLiteSerializer from .state import StateLiteSerializer
from .user import UserLiteSerializer
class IssueSerializer(BaseSerializer): class IssueSerializer(BaseSerializer):
@ -79,7 +80,7 @@ class IssueSerializer(BaseSerializer):
data["description_html"] = parsed_str data["description_html"] = parsed_str
except Exception as e: except Exception as e:
raise serializers.ValidationError(f"Invalid HTML: {str(e)}") raise serializers.ValidationError("Invalid HTML passed")
# Validate assignees are from project # Validate assignees are from project
if data.get("assignees", []): if data.get("assignees", []):
@ -294,7 +295,7 @@ class IssueLinkSerializer(BaseSerializer):
raise serializers.ValidationError("Invalid URL format.") raise serializers.ValidationError("Invalid URL format.")
# Check URL scheme # Check URL scheme
if not value.startswith(('http://', 'https://')): if not value.startswith(("http://", "https://")):
raise serializers.ValidationError("Invalid URL scheme.") raise serializers.ValidationError("Invalid URL scheme.")
return value return value
@ -366,7 +367,7 @@ class IssueCommentSerializer(BaseSerializer):
data["comment_html"] = parsed_str data["comment_html"] = parsed_str
except Exception as e: except Exception as e:
raise serializers.ValidationError(f"Invalid HTML: {str(e)}") raise serializers.ValidationError("Invalid HTML passed")
return data return data