Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sanitize User Input for Services and Credentials #419

Merged
merged 5 commits into from
Feb 29, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions confidant/routes/blind_credentials.py
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,9 @@ def create_blind_credential():
if not isinstance(data.get('metadata', {}), dict):
return jsonify({'error': 'metadata must be a dict'}), 400
for cred in BlindCredential.data_type_date_index.query(
'blind-credential', name__eq=data['name']):
'blind-credential',
filter_condition=BlindCredential.name == data['name']
):
# Conflict, the name already exists
msg = 'Name already exists. See id: {0}'.format(cred.id)
return jsonify({'error': msg, 'reference': cred.id}), 409
Expand All @@ -210,7 +212,7 @@ def create_blind_credential():
cipher_version=data['cipher_version'],
modified_by=authnz.get_logged_in_user(),
documentation=data.get('documentation')
).save(id__null=True)
).save()
# Make this the current revision
cred = BlindCredential(
id=id,
Expand Down Expand Up @@ -344,7 +346,7 @@ def update_blind_credential(id):
cipher_version=update['cipher_version'],
modified_by=authnz.get_logged_in_user(),
documentation=update['documentation']
).save(id__null=True)
).save()
except PutError as e:
logger.error(e)
return jsonify(
Expand Down Expand Up @@ -454,7 +456,7 @@ def revert_blind_credential_to_revision(id, to_revision):
cipher_version=revert_credential.cipher_version,
modified_by=authnz.get_logged_in_user(),
documentation=revert_credential.documentation
).save(id__null=True)
).save()
except PutError as e:
logger.error(e)
return jsonify(
Expand Down
19 changes: 12 additions & 7 deletions confidant/routes/credentials.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
import re
import uuid

from flask import blueprints, jsonify, request
from flask import blueprints, escape, jsonify, request
from pynamodb.exceptions import DoesNotExist, PutError

from confidant import authnz, clients, settings
Expand Down Expand Up @@ -616,23 +616,28 @@ def create_credential():
if not _check:
return jsonify(ret), 400
for cred in Credential.data_type_date_index.query(
'credential', name__eq=data['name']):
'credential', filter_condition=Credential.name == data['name']):
# Conflict, the name already exists
msg = 'Name already exists. See id: {0}'.format(cred.id)
return jsonify({'error': msg, 'reference': cred.id}), 409
# Generate an initial stable ID to allow name changes
id = str(uuid.uuid4()).replace('-', '')
# Try to save to the archive
revision = 1
for key, value in credential_pairs.items():
value = escape(value)
credential_pairs[key] = value
credential_pairs = json.dumps(credential_pairs)
data_key = keymanager.create_datakey(encryption_context={'id': id})
cipher = CipherManager(data_key['plaintext'], version=2)
credential_pairs = cipher.encrypt(credential_pairs)
last_rotation_date = misc.utcnow()

sanitized_name = escape(data['name'])
cred = Credential(
id='{0}-{1}'.format(id, revision),
data_type='archive-credential',
name=data['name'],
name=sanitized_name,
credential_pairs=credential_pairs,
metadata=data.get('metadata'),
revision=revision,
Expand All @@ -643,12 +648,12 @@ def create_credential():
documentation=data.get('documentation'),
tags=data.get('tags', []),
last_rotation_date=last_rotation_date,
).save(id__null=True)
).save()
# Make this the current revision
cred = Credential(
id=id,
data_type='credential',
name=data['name'],
name=sanitized_name,
credential_pairs=credential_pairs,
metadata=data.get('metadata'),
revision=revision,
Expand Down Expand Up @@ -882,7 +887,7 @@ def update_credential(id):
documentation=update['documentation'],
tags=update['tags'],
last_rotation_date=update['last_rotation_date'],
).save(id__null=True)
).save()
except PutError as e:
logger.error(e)
return jsonify({'error': 'Failed to add credential to archive.'}), 500
Expand Down Expand Up @@ -1056,7 +1061,7 @@ def revert_credential_to_revision(id, to_revision):
documentation=revert_credential.documentation,
tags=revert_credential.tags,
last_rotation_date=revert_credential.last_rotation_date,
).save(id__null=True)
).save()
except PutError as e:
logger.error(e)
return jsonify({'error': 'Failed to add credential to archive.'}), 500
Expand Down
15 changes: 10 additions & 5 deletions confidant/routes/services.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
import logging

from flask import blueprints, jsonify, request
from flask import blueprints, escape, jsonify, request
from pynamodb.exceptions import DoesNotExist, PutError

from confidant import authnz, settings
Expand Down Expand Up @@ -640,24 +640,29 @@ def map_service_credentials(id):
# credential IDs.
filtered_credential_ids = [cred.id for cred in credentials]
# Try to save to the archive

if _service:
service_id = _service.id
else:
service_id = escape(id)
try:
Service(
id='{0}-{1}'.format(id, revision),
id='{0}-{1}'.format(service_id, revision),
data_type='archive-service',
credentials=filtered_credential_ids,
blind_credentials=data.get('blind_credentials'),
account=data.get('account'),
enabled=data.get('enabled'),
revision=revision,
modified_by=authnz.get_logged_in_user()
).save(id__null=True)
).save()
except PutError as e:
logger.error(e)
return jsonify({'error': 'Failed to add service to archive.'}), 500

try:
service = Service(
id=id,
id=service_id,
data_type='service',
credentials=filtered_credential_ids,
blind_credentials=data.get('blind_credentials'),
Expand Down Expand Up @@ -811,7 +816,7 @@ def revert_service_to_revision(id, to_revision):
enabled=revert_service.enabled,
revision=new_revision,
modified_by=authnz.get_logged_in_user()
).save(id__null=True)
).save()
except PutError as e:
logger.error(e)
return jsonify({'error': 'Failed to add service to archive.'}), 500
Expand Down
Loading