From 070c7d6dfa8492b310197a4f8ee468d4412a1a84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petra=20C=CC=8Ci=CC=81halova=CC=81?= Date: Wed, 24 Jul 2024 20:01:17 +0200 Subject: [PATCH 1/2] improve logs for internal endspoint for roles and permissions removal --- rbac/internal/views.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rbac/internal/views.py b/rbac/internal/views.py index b8b9281a..d05ec2d6 100644 --- a/rbac/internal/views.py +++ b/rbac/internal/views.py @@ -418,9 +418,9 @@ def role_removal(request): role_obj = get_object_or_404(Role, name=role_name, tenant=Tenant.objects.get(tenant_name="public")) with transaction.atomic(): try: - logger.warning(f"Deleting role {role_name}. Requested by {request.user.username}") + logger.warning(f"Deleting role '{role_name}'. Requested by '{request.user.username}'") role_obj.delete() - return HttpResponse(status=204) + return HttpResponse(f"Role '{role_name}' deleted.", status=204) except Exception: return HttpResponse("Role cannot be deleted.", status=400) return HttpResponse('Invalid method, only "DELETE" is allowed.', status=405) @@ -446,9 +446,9 @@ def permission_removal(request): permission_obj = get_object_or_404(Permission, permission=permission) with transaction.atomic(): try: - logger.warning(f"Deleting permission {permission}. Requested by {request.user.username}") + logger.warning(f"Deleting permission '{permission}'. Requested by '{request.user.username}'") permission_obj.delete() - return HttpResponse(status=204) + return HttpResponse(f"Permission '{permission}' deleted.", status=204) except Exception: return HttpResponse("Permission cannot be deleted.", status=400) return HttpResponse('Invalid method, only "DELETE" is allowed.', status=405) From 19e2a9de151b03d732e66287e570a9f64e3836b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petra=20C=CC=8Ci=CC=81halova=CC=81?= Date: Wed, 24 Jul 2024 20:17:04 +0200 Subject: [PATCH 2/2] excape the query imput to prevent the Cross-site Scripting vulnerability --- rbac/internal/views.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rbac/internal/views.py b/rbac/internal/views.py index d05ec2d6..6220d816 100644 --- a/rbac/internal/views.py +++ b/rbac/internal/views.py @@ -25,6 +25,7 @@ from django.db.migrations.recorder import MigrationRecorder from django.http import HttpResponse from django.shortcuts import get_object_or_404 +from django.utils.html import escape from management.cache import TenantCache from management.models import Group, Permission, Role from management.principal.proxy import ( @@ -414,6 +415,7 @@ def role_removal(request): 'Invalid request, must supply the "name" query parameter.', status=400, ) + role_name = escape(role_name) # Add tenant public to prevent deletion of custom roles role_obj = get_object_or_404(Role, name=role_name, tenant=Tenant.objects.get(tenant_name="public")) with transaction.atomic(): @@ -443,6 +445,7 @@ def permission_removal(request): status=400, ) + permission = escape(permission) permission_obj = get_object_or_404(Permission, permission=permission) with transaction.atomic(): try: