prohibit order_by= for sensitive fields

see: #5526
2026-05-17 18:18:35 -05:00 · 2017-02-23 15:22:08 -05:00
parent 053ecd1093
commit f4d4c43d94
3 changed files with 45 additions and 0 deletions
@@ -339,6 +339,21 @@ def test_list_created_org_credentials(post, get, organization, org_admin, org_me
    assert response.data['count'] == 0


+@pytest.mark.parametrize('order_by', ('password', '-password', 'password,pk', '-password,pk'))
+@pytest.mark.django_db
+def test_list_cannot_order_by_encrypted_field(post, get, organization, org_admin, order_by):
+    for i, password in enumerate(('abc', 'def', 'xyz')):
+        response = post(reverse('api:credential_list'), {
+            'organization': organization.id,
+            'name': 'C%d' % i,
+            'password': password
+        }, org_admin)
+
+    response = get(reverse('api:credential_list'), org_admin,
+                   QUERY_STRING='order_by=%s' % order_by, status=400)
+    assert response.status_code == 400
+
+
 #
 # Openstack Credentials
 #
@@ -35,6 +35,21 @@ def test_edit_inventory(put, inventory, alice, role_field, expected_status_code)
    put(reverse('api:inventory_detail', args=(inventory.id,)), data, alice, expect=expected_status_code)


+@pytest.mark.parametrize('order_by', ('script', '-script', 'script,pk', '-script,pk'))
+@pytest.mark.django_db
+def test_list_cannot_order_by_unsearchable_field(get, organization, alice, order_by):
+    for i, script in enumerate(('#!/bin/a', '#!/bin/b', '#!/bin/c')):
+        custom_script = organization.custom_inventory_scripts.create(
+            name="I%d" % i,
+            script=script
+        )
+        custom_script.admin_role.members.add(alice)
+
+    response = get(reverse('api:inventory_script_list'), alice,
+                   QUERY_STRING='order_by=%s' % order_by, status=400)
+    assert response.status_code == 400
+
+
@pytest.mark.parametrize("role_field,expected_status_code", [
    (None, 403),
    ('admin_role', 201),