Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

more user input sanitation #3204

Merged
merged 1 commit into from
Jun 16, 2022
Merged

Conversation

matmair
Copy link
Contributor

@matmair matmair commented Jun 15, 2022

This PR:

Changes all APIs that inherit from the generic classes to use built in shims as a base - this will enabe us to make changes to them easier
Adds a new mixin on all api views that change data to clean the user input using mozillas bleach
Updates all custom create() and update() functions in the API views to only use cleaned user data

* use shims for API view inheritation

* Add mixin for input sanitation

* fix clean operation to fix all string values

* Also clean up dicts
this is to future-proof this function

* Update docstirng

* proof custom methods against XSS through authenticated users
@matmair matmair self-assigned this Jun 15, 2022
@matmair matmair added enhancement This is an suggested enhancement or new feature api Relates to the API security Relates to a security issue labels Jun 15, 2022
@matmair matmair added this to the 0.7.3 milestone Jun 15, 2022
@matmair matmair marked this pull request as ready for review June 15, 2022 23:12
Copy link
Member

@SchrodingersGat SchrodingersGat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice work @matmair - a clean implementation that will serve us well.

InvenTree/InvenTree/mixins.py Show resolved Hide resolved
InvenTree/order/api.py Show resolved Hide resolved
@matmair
Copy link
Contributor Author

matmair commented Jun 15, 2022

@SchrodingersGat ready to merge now!

@SchrodingersGat SchrodingersGat merged commit e83995b into inventree:master Jun 16, 2022
@matmair matmair deleted the bleach branch June 16, 2022 00:08
@SchrodingersGat SchrodingersGat modified the milestones: 0.7.3, 0.8.0 Jun 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
api Relates to the API enhancement This is an suggested enhancement or new feature security Relates to a security issue
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants