thunderstrike/plane
thunderstrike/plane
2
0
Fork 0
forked from github/plane
Code Pull Requests Activity

fix: security warnings related to information exposure and regex validations (#3325)

Browse Source
This commit is contained in:
Nikhil 2024-01-08 23:26:32 +05:30 committed by sriram veeraghanta
parent 68d370fd86
commit 43b503c756
5 changed files with 13 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
apiserver/plane/api/views/base.py
View File

@ -104,15 +104,14 @@ class BaseAPIView(TimezoneMixin, APIView, BasePaginator):
) )
if isinstance(e, ObjectDoesNotExist): if isinstance(e, ObjectDoesNotExist):
model_name = str(exc).split(" matching query does not exist.")[0]
return Response( return Response(
{"error": f"{model_name} does not exist."}, {"error": f"The required object does not exist."},
status=status.HTTP_404_NOT_FOUND, status=status.HTTP_404_NOT_FOUND,
) )
if isinstance(e, KeyError): if isinstance(e, KeyError):
return Response( return Response(
{"error": f"key {e} does not exist"}, {"error": f" The required key does not exist."},
status=status.HTTP_400_BAD_REQUEST, status=status.HTTP_400_BAD_REQUEST,
) )

10
apiserver/plane/app/views/base.py
View File

@ -113,16 +113,15 @@ class BaseViewSet(TimezoneMixin, ModelViewSet, BasePaginator):
) )
if isinstance(e, ObjectDoesNotExist): if isinstance(e, ObjectDoesNotExist):
model_name = str(exc).split(" matching query does not exist.")[0]
return Response( return Response(
{"error": f"{model_name} does not exist."}, {"error": f"The required object does not exist."},
status=status.HTTP_404_NOT_FOUND, status=status.HTTP_404_NOT_FOUND,
) )
if isinstance(e, KeyError): if isinstance(e, KeyError):
capture_exception(e) capture_exception(e)
return Response( return Response(
{"error": f"key {e} does not exist"}, {"error": f"The required key does not exist."},
status=status.HTTP_400_BAD_REQUEST, status=status.HTTP_400_BAD_REQUEST,
) )
@ -216,14 +215,13 @@ class BaseAPIView(TimezoneMixin, APIView, BasePaginator):
) )
if isinstance(e, ObjectDoesNotExist): if isinstance(e, ObjectDoesNotExist):
model_name = str(exc).split(" matching query does not exist.")[0]
return Response( return Response(
{"error": f"{model_name} does not exist."}, {"error": f"The required object does not exist."},
status=status.HTTP_404_NOT_FOUND, status=status.HTTP_404_NOT_FOUND,
) )
if isinstance(e, KeyError): if isinstance(e, KeyError):
return Response({"error": f"key {e} does not exist"}, status=status.HTTP_400_BAD_REQUEST) return Response({"error": f"The required key does not exist."}, status=status.HTTP_400_BAD_REQUEST)
if settings.DEBUG: if settings.DEBUG:
print(e) print(e)

9
apiserver/plane/space/views/base.py
View File

@ -85,14 +85,14 @@ class BaseViewSet(TimezoneMixin, ModelViewSet, BasePaginator):
if isinstance(e, ObjectDoesNotExist): if isinstance(e, ObjectDoesNotExist):
model_name = str(exc).split(" matching query does not exist.")[0] model_name = str(exc).split(" matching query does not exist.")[0]
return Response( return Response(
{"error": f"{model_name} does not exist."}, {"error": f"The required object does not exist."},
status=status.HTTP_404_NOT_FOUND, status=status.HTTP_404_NOT_FOUND,
) )
if isinstance(e, KeyError): if isinstance(e, KeyError):
capture_exception(e) capture_exception(e)
return Response( return Response(
{"error": f"key {e} does not exist"}, {"error": "The required key does not exist."},
status=status.HTTP_400_BAD_REQUEST, status=status.HTTP_400_BAD_REQUEST,
) )
@ -172,14 +172,13 @@ class BaseAPIView(TimezoneMixin, APIView, BasePaginator):
) )
if isinstance(e, ObjectDoesNotExist): if isinstance(e, ObjectDoesNotExist):
model_name = str(exc).split(" matching query does not exist.")[0]
return Response( return Response(
{"error": f"{model_name} does not exist."}, {"error": f"The required object does not exist."},
status=status.HTTP_404_NOT_FOUND, status=status.HTTP_404_NOT_FOUND,
) )
if isinstance(e, KeyError): if isinstance(e, KeyError):
return Response({"error": f"key {e} does not exist"}, status=status.HTTP_400_BAD_REQUEST) return Response({"error": "The required key does not exist."}, status=status.HTTP_400_BAD_REQUEST)
if settings.DEBUG: if settings.DEBUG:
print(e) print(e)

4
apiserver/plane/utils/issue_search.py
View File

@ -12,8 +12,8 @@ def search_issues(query, queryset):
fields = ["name", "sequence_id"] fields = ["name", "sequence_id"]
q = Q() q = Q()
for field in fields: for field in fields:
if field == "sequence_id": if field == "sequence_id" and len(query) <= 20:
sequences = re.findall(r"\d+\.\d+|\d+", query) sequences = re.findall(r"[A-Za-z0-9]{1,12}-\d+", query)
for sequence_id in sequences: for sequence_id in sequences:
q |= Q(**{"sequence_id": sequence_id}) q |= Q(**{"sequence_id": sequence_id})
else: else:

2
apiserver/plane/utils/paginator.py
View File

@ -188,7 +188,7 @@ class BasePaginator:
try: try:
cursor_result = paginator.get_result(limit=per_page, cursor=input_cursor) cursor_result = paginator.get_result(limit=per_page, cursor=input_cursor)
except BadPaginationError as e: except BadPaginationError as e:
raise ParseError(detail=str(e)) raise ParseError(detail="Error in parsing")
# Serialize result according to the on_result function # Serialize result according to the on_result function
if on_results: if on_results: