nielsperetzke
/
healthchecks
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 32 Wiki Activity
Browse Source

Security: check channel ownership when setting check's channels via API

pull/340/head
Pēteris Caune 5 years ago
parent
435659166c
commit
fb527e4ed8
No known key found for this signature in database GPG Key ID: E28D7679E9A9EDE2
3 changed files with 15 additions and 2 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +1
    -0
      CHANGELOG.md
  2. +12
    -0
      hc/api/tests/test_update_check.py
  3. +2
    -2
      hc/api/views.py

+ 1
- 0
CHANGELOG.md View File

@ -11,6 +11,7 @@ All notable changes to this project will be documented in this file.
- The "render_docs" command checks if markdown and pygments is installed (#329)
- The team size limit is applied to the n. of distinct users across all projects (#332)
- Don't let SuspiciousOperation bubble up when validating channel ids in API
- Security: check channel ownership when setting check's channels via API
## v1.13.0 - 2020-02-13


+ 12
- 0
hc/api/tests/test_update_check.py View File

@ -157,6 +157,18 @@ class UpdateCheckTestCase(BaseTestCase):
self.check.refresh_from_db()
self.assertEqual(self.check.channel_set.count(), 0)
def test_it_rejects_channel_from_another_project(self):
charlies_channel = Channel.objects.create(project=self.charlies_project)
code = str(charlies_channel.code)
r = self.post(self.check.code, {"api_key": "X" * 32, "channels": code})
self.assertEqual(r.status_code, 400)
self.assertEqual(r.json()["error"], "invalid channel identifier: " + code)
self.check.refresh_from_db()
self.assertEqual(self.check.channel_set.count(), 0)
def test_it_rejects_non_uuid_channel_code(self):
r = self.post(self.check.code, {"api_key": "X" * 32, "channels": "foo"})


+ 2
- 2
hc/api/views.py View File

@ -100,6 +100,7 @@ def _update(check, spec):
check.channel_set.clear()
else:
channels = []
channel_query = Channel.objects.filter(project=check.project)
for chunk in spec["channels"].split(","):
try:
chunk = uuid.UUID(chunk)
@ -107,8 +108,7 @@ def _update(check, spec):
raise BadChannelException("invalid channel identifier: %s" % chunk)
try:
channel = Channel.objects.get(code=chunk)
channels.append(channel)
channels.append(channel_query.get(code=chunk))
except Channel.DoesNotExist:
raise BadChannelException("invalid channel identifier: %s" % chunk)


Write Preview
Loading…
Cancel
Save