From e2524799d2abe2ab99d3b78fe7870e679dfa01f5 Mon Sep 17 00:00:00 2001 From: Bavisetti Narayan <72156168+NarayanBavisetti@users.noreply.github.com> Date: Tue, 5 Dec 2023 13:39:09 +0530 Subject: [PATCH] chore: html validation (#2970) * chore: changed api serializers * chore: state status code * chore: removed sorted keys --- apiserver/plane/api/serializers/cycle.py | 5 ++++ apiserver/plane/api/serializers/issue.py | 33 ++++++++++++++++++++-- apiserver/plane/api/serializers/project.py | 1 + apiserver/plane/api/serializers/state.py | 5 ++++ apiserver/plane/api/views/state.py | 2 +- apiserver/plane/app/views/state.py | 2 +- apiserver/plane/bgtasks/webhook_task.py | 2 +- apiserver/plane/utils/issue_filters.py | 2 +- apiserver/requirements/base.txt | 1 + 9 files changed, 47 insertions(+), 6 deletions(-) diff --git a/apiserver/plane/api/serializers/cycle.py b/apiserver/plane/api/serializers/cycle.py index 5895a1bfc..eaff8181a 100644 --- a/apiserver/plane/api/serializers/cycle.py +++ b/apiserver/plane/api/serializers/cycle.py @@ -30,6 +30,11 @@ class CycleSerializer(BaseSerializer): model = Cycle fields = "__all__" read_only_fields = [ + "id", + "created_at", + "updated_at", + "created_by", + "updated_by", "workspace", "project", "owned_by", diff --git a/apiserver/plane/api/serializers/issue.py b/apiserver/plane/api/serializers/issue.py index 10b3a4f85..ab61ae523 100644 --- a/apiserver/plane/api/serializers/issue.py +++ b/apiserver/plane/api/serializers/issue.py @@ -1,3 +1,6 @@ +from lxml import html + + # Django imports from django.utils import timezone @@ -43,7 +46,6 @@ class IssueSerializer(BaseSerializer): class Meta: model = Issue - fields = "__all__" read_only_fields = [ "id", "workspace", @@ -53,6 +55,10 @@ class IssueSerializer(BaseSerializer): "created_at", "updated_at", ] + exclude = [ + "description", + "description_stripped", + ] def validate(self, data): if ( @@ -61,6 +67,15 @@ class IssueSerializer(BaseSerializer): and data.get("start_date", None) > data.get("target_date", None) ): raise serializers.ValidationError("Start date cannot exceed target date") + + try: + if(data.get("description_html", None) is not None): + parsed = html.fromstring(data["description_html"]) + parsed_str = html.tostring(parsed, encoding='unicode') + data["description_html"] = parsed_str + + except Exception as e: + raise serializers.ValidationError(f"Invalid HTML: {str(e)}") # Validate assignees are from project if data.get("assignees", []): @@ -292,7 +307,6 @@ class IssueCommentSerializer(BaseSerializer): class Meta: model = IssueComment - fields = "__all__" read_only_fields = [ "id", "workspace", @@ -303,6 +317,21 @@ class IssueCommentSerializer(BaseSerializer): "created_at", "updated_at", ] + exclude = [ + "comment_stripped", + "comment_json", + ] + + def validate(self, data): + try: + if(data.get("comment_html", None) is not None): + parsed = html.fromstring(data["comment_html"]) + parsed_str = html.tostring(parsed, encoding='unicode') + data["comment_html"] = parsed_str + + except Exception as e: + raise serializers.ValidationError(f"Invalid HTML: {str(e)}") + return data class IssueActivitySerializer(BaseSerializer): diff --git a/apiserver/plane/api/serializers/project.py b/apiserver/plane/api/serializers/project.py index 932597799..c394a080d 100644 --- a/apiserver/plane/api/serializers/project.py +++ b/apiserver/plane/api/serializers/project.py @@ -21,6 +21,7 @@ class ProjectSerializer(BaseSerializer): fields = "__all__" read_only_fields = [ "id", + 'emoji', "workspace", "created_at", "updated_at", diff --git a/apiserver/plane/api/serializers/state.py b/apiserver/plane/api/serializers/state.py index 4c7f05ab8..9d08193d8 100644 --- a/apiserver/plane/api/serializers/state.py +++ b/apiserver/plane/api/serializers/state.py @@ -16,6 +16,11 @@ class StateSerializer(BaseSerializer): model = State fields = "__all__" read_only_fields = [ + "id", + "created_by", + "updated_by", + "created_at", + "updated_at", "workspace", "project", ] diff --git a/apiserver/plane/api/views/state.py b/apiserver/plane/api/views/state.py index 679c12964..3d2861778 100644 --- a/apiserver/plane/api/views/state.py +++ b/apiserver/plane/api/views/state.py @@ -64,7 +64,7 @@ class StateAPIEndpoint(BaseAPIView): ) if state.default: - return Response({"error": "Default state cannot be deleted"}, status=False) + return Response({"error": "Default state cannot be deleted"}, status=status.HTTP_400_BAD_REQUEST) # Check for any issues in the state issue_exist = Issue.issue_objects.filter(state=state_id).exists() diff --git a/apiserver/plane/app/views/state.py b/apiserver/plane/app/views/state.py index 5867edb68..f7226ba6e 100644 --- a/apiserver/plane/app/views/state.py +++ b/apiserver/plane/app/views/state.py @@ -77,7 +77,7 @@ class StateViewSet(BaseViewSet): ) if state.default: - return Response({"error": "Default state cannot be deleted"}, status=False) + return Response({"error": "Default state cannot be deleted"}, status=status.HTTP_400_BAD_REQUEST) # Check for any issues in the state issue_exist = Issue.issue_objects.filter(state=pk).exists() diff --git a/apiserver/plane/bgtasks/webhook_task.py b/apiserver/plane/bgtasks/webhook_task.py index f5ee96256..3681f002d 100644 --- a/apiserver/plane/bgtasks/webhook_task.py +++ b/apiserver/plane/bgtasks/webhook_task.py @@ -109,7 +109,7 @@ def webhook_task(self, webhook, slug, event, event_data, action): if webhook.secret_key: hmac_signature = hmac.new( webhook.secret_key.encode("utf-8"), - json.dumps(payload, sort_keys=True).encode("utf-8"), + json.dumps(payload).encode("utf-8"), hashlib.sha256, ) signature = hmac_signature.hexdigest() diff --git a/apiserver/plane/utils/issue_filters.py b/apiserver/plane/utils/issue_filters.py index 75437fbee..2da24092a 100644 --- a/apiserver/plane/utils/issue_filters.py +++ b/apiserver/plane/utils/issue_filters.py @@ -63,7 +63,7 @@ def date_filter(filter, date_term, queries): duration=int(digit), subsequent=date_query[1], term=term, - date_filter="created_at__date", + date_filter=date_term, offset=date_query[2], ) else: diff --git a/apiserver/requirements/base.txt b/apiserver/requirements/base.txt index 5342da85d..b6059bcd5 100644 --- a/apiserver/requirements/base.txt +++ b/apiserver/requirements/base.txt @@ -38,3 +38,4 @@ beautifulsoup4==4.12.2 dj-database-url==2.1.0 posthog==3.0.2 cryptography==41.0.5 +lxml==4.9.3