-
Notifications
You must be signed in to change notification settings - Fork 117
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Changing related objects #171
Comments
Hi @regqueryvalueex |
Also, it will help a lot of you can create a pull request with the set of tests that describe the bug. |
I came across this issue recently and I've been thinking of a way to fix it. The proposed solution seems reasonable. Another option is to add a filter_queryset() method that excludes from updates by default child instances that are not related to parent. |
As mentioned here - #83, this package have a security issues, however original issue does not list them all
I created a simple repo with examples of issues - https://github.com/regqueryvalueex/nested-serializer-issues-example-, so pls consider this, because this is very important. You can find tests, that illustrates issues here - https://github.com/regqueryvalueex/nested-serializer-issues-example-/tree/master/example/tests
I'll describe it as well here and propose a solution.
models.py
conftest.py
Example of direct relations changing
direct_relation_serializers.py
test_updating_parent_instance.py
Issue here - it's possible via serializer for comment update parent meeting, also it's possible to change meeting that is related to other comment if you just pass pk of the other meeting. There should be a validation, that ensure, that comment belongs to that meeting. Personally i believe, that modifying objects via direct relations is bad idea by itself, because, generally you want to do it the other way around, but it seems like it intended feature.
Example of reversed relations changing
reversed_relation_serializers.py
test_reassigning_relations.py
This is the exact issue, mentioned here - #83
It's possible to steel comments from other meetings just by passing pk from existing comment. This also should be validation, that comment belongs to the meeting
pls also consider validation for M2M fields.
Proposal: Add the validation, so package wont automatically reassign relations. This should be default behaviour, since most of the people, who use it will use it on default settings, because they are unaware of such issues, so their project will have security vulnerabilities
The text was updated successfully, but these errors were encountered: