Merge pull request #5495 from ryanpetrello/blacklist_sensitive_search_keys

blacklist certain sensitive fields and relations as search arguments
2026-04-28 02:41:49 -05:00 · 2017-02-22 10:28:03 -05:00
parent 9e2e119022 73a5a1e61e
commit fe053dca83
13 changed files with 101 additions and 33 deletions
--- a/awx/api/filters.py
+++ b/awx/api/filters.py
@@ -13,6 +13,7 @@ from django.db.models.fields.related import ForeignObjectRel, ManyToManyField, F
 from django.contrib.contenttypes.models import ContentType
 from django.contrib.contenttypes.fields import GenericForeignKey
 from django.utils.encoding import force_text
+from django.utils.translation import ugettext_lazy as _

 # Django REST Framework
 from rest_framework.exceptions import ParseError, PermissionDenied
@@ -89,7 +90,8 @@ class FieldLookupBackend(BaseFilterBackend):
        # those lookups combined with request.user.get_queryset(Model) to make
        # sure user cannot query using objects he could not view.
        new_parts = []
-        for n, name in enumerate(parts[:-1]):
+
+        for name in parts[:-1]:
            # HACK: Make project and inventory source filtering by old field names work for backwards compatibility.
            if model._meta.object_name in ('Project', 'InventorySource'):
                name = {
@@ -106,11 +108,15 @@ class FieldLookupBackend(BaseFilterBackend):
                new_parts.append(name)

            if name in getattr(model, 'PASSWORD_FIELDS', ()):
-                raise PermissionDenied('Filtering on password fields is not allowed.')
+                raise PermissionDenied(_('Filtering on password fields is not allowed.'))
            elif name == 'pk':
                field = model._meta.pk
            else:
                field = model._meta.get_field_by_name(name)[0]
+                if isinstance(field, ForeignObjectRel) and getattr(field.field, '__prevent_search__', False):
+                    raise PermissionDenied(_('Filtering on %s is not allowed.' % name))
+                elif getattr(field, '__prevent_search__', False):
+                    raise PermissionDenied(_('Filtering on %s is not allowed.' % name))
            model = getattr(field, 'related_model', None) or field.model

        if parts:
--- a/awx/api/generics.py
+++ b/awx/api/generics.py
@@ -26,6 +26,7 @@ from rest_framework import status
 from rest_framework import views

 # AWX
+from awx.api.filters import FieldLookupBackend
 from awx.main.models import *  # noqa
 from awx.main.utils import * # noqa
 from awx.api.serializers import ResourceAccessListElementSerializer
@@ -300,7 +301,16 @@ class ListAPIView(generics.ListAPIView, GenericAPIView):
            if relationship.related_model._meta.app_label != 'main':
                continue
            fields.append('{}__search'.format(relationship.name))
-        return fields
+
+        allowed_fields = []
+        for field in fields:
+            try:
+                FieldLookupBackend().get_field_from_lookup(self.model, field)
+            except PermissionDenied:
+                pass
+            else:
+                allowed_fields.append(field)
+        return allowed_fields


 class ListCreateAPIView(ListAPIView, generics.ListCreateAPIView):