blacklist certain sensitive fields and relations as search arguments

see: #5465 see: #5478
2026-03-27 11:13:37 -05:00 · 2017-02-21 12:18:40 -05:00
parent 0a5b43acae
commit d24fb32358
13 changed files with 99 additions and 32 deletions
--- a/awx/api/filters.py
+++ b/awx/api/filters.py
@@ -89,7 +89,8 @@ class FieldLookupBackend(BaseFilterBackend):
        # those lookups combined with request.user.get_queryset(Model) to make
        # sure user cannot query using objects he could not view.
        new_parts = []
-        for n, name in enumerate(parts[:-1]):
+
+        for name in parts[:-1]:
            # HACK: Make project and inventory source filtering by old field names work for backwards compatibility.
            if model._meta.object_name in ('Project', 'InventorySource'):
                name = {
@@ -111,6 +112,10 @@ class FieldLookupBackend(BaseFilterBackend):
                field = model._meta.pk
            else:
                field = model._meta.get_field_by_name(name)[0]
+                if isinstance(field, ForeignObjectRel) and getattr(field.field, '__prevent_search__', False):
+                    raise PermissionDenied('Filtering on %s is not allowed.' % name)
+                elif getattr(field, '__prevent_search__', False):
+                    raise PermissionDenied('Filtering on %s is not allowed.' % name)
            model = getattr(field, 'related_model', None) or field.model

        if parts:
--- a/awx/api/generics.py
+++ b/awx/api/generics.py
@@ -26,6 +26,7 @@ from rest_framework import status
 from rest_framework import views

 # AWX
+from awx.api.filters import FieldLookupBackend
 from awx.main.models import *  # noqa
 from awx.main.utils import * # noqa
 from awx.api.serializers import ResourceAccessListElementSerializer
@@ -297,7 +298,16 @@ class ListAPIView(generics.ListAPIView, GenericAPIView):
            if relationship.related_model._meta.app_label != 'main':
                continue
            fields.append('{}__search'.format(relationship.name))
-        return fields
+
+        allowed_fields = []
+        for field in fields:
+            try:
+                FieldLookupBackend().get_field_from_lookup(self.model, field)
+            except PermissionDenied:
+                pass
+            else:
+                allowed_fields.append(field)
+        return allowed_fields


 class ListCreateAPIView(ListAPIView, generics.ListCreateAPIView):