Bypass obfuscation for safe sources

This commit is contained in:
Mark Veidemanis 2022-08-30 10:30:17 +01:00
parent 38b712ac9a
commit ba3124bd69
Signed by: m
GPG Key ID: 5ACFCEED46C0904F
6 changed files with 70 additions and 46 deletions

View File

@ -351,6 +351,7 @@ def query_results(
return {"message": message, "class": message_class}
else:
size = 20
source = None
if "source" in query_params:
source = query_params["source"]
if source not in settings.OPENSEARCH_MAIN_SOURCES:
@ -378,30 +379,36 @@ def query_results(
if date_query:
if settings.DELAY_RESULTS:
if request.user.has_perm("core.bypass_delay"):
add_top.append(range_query)
else:
delay_as_ts = datetime.now() - timedelta(days=settings.DELAY_DURATION)
lt_as_ts = datetime.strptime(
range_query["range"]["ts"]["lt"], "%Y-%m-%dT%H:%MZ"
)
if lt_as_ts > delay_as_ts:
range_query["range"]["ts"]["lt"] = f"now-{settings.DELAY_DURATION}d"
add_top.append(range_query)
if source not in settings.SAFE_SOURCES:
if request.user.has_perm("core.bypass_delay"):
add_top.append(range_query)
else:
delay_as_ts = datetime.now() - timedelta(
days=settings.DELAY_DURATION
)
lt_as_ts = datetime.strptime(
range_query["range"]["ts"]["lt"], "%Y-%m-%dT%H:%MZ"
)
if lt_as_ts > delay_as_ts:
range_query["range"]["ts"][
"lt"
] = f"now-{settings.DELAY_DURATION}d"
add_top.append(range_query)
else:
add_top.append(range_query)
else:
if settings.DELAY_RESULTS:
if not request.user.has_perm("core.bypass_delay"):
range_query = {
"range": {
"ts": {
# "gt": ,
"lt": f"now-{settings.DELAY_DURATION}d",
if source not in settings.SAFE_SOURCES:
if not request.user.has_perm("core.bypass_delay"):
range_query = {
"range": {
"ts": {
# "gt": ,
"lt": f"now-{settings.DELAY_DURATION}d",
}
}
}
}
add_top.append(range_query)
add_top.append(range_query)
if "sorting" in query_params:
sorting = query_params["sorting"]
@ -571,17 +578,18 @@ def query_results(
dedup_fields = ["msg", "nick", "ident", "host", "net", "channel"]
results_parsed = dedup_list(results_parsed, dedup_fields)
if settings.ENCRYPTION:
encrypt_list(request.user, results_parsed, settings.ENCRYPTION_KEY)
if source not in settings.SAFE_SOURCES:
if settings.ENCRYPTION:
encrypt_list(request.user, results_parsed, settings.ENCRYPTION_KEY)
if settings.HASHING:
hash_list(request.user, results_parsed)
if settings.HASHING:
hash_list(request.user, results_parsed)
if settings.OBFUSCATION:
obfuscate_list(request.user, results_parsed)
if settings.OBFUSCATION:
obfuscate_list(request.user, results_parsed)
if settings.RANDOMISATION:
randomise_list(request.user, results_parsed)
if settings.RANDOMISATION:
randomise_list(request.user, results_parsed)
# process_list(reqults)
@ -596,11 +604,13 @@ def query_results(
if query:
context["query"] = query
if settings.DELAY_RESULTS:
if not request.user.has_perm("core.bypass_delay"):
context["delay"] = settings.DELAY_DURATION
if source not in settings.SAFE_SOURCES:
if not request.user.has_perm("core.bypass_delay"):
context["delay"] = settings.DELAY_DURATION
if settings.RANDOMISATION:
if not request.user.has_perm("core.bypass_randomisation"):
context["randomised"] = True
if source not in settings.SAFE_SOURCES:
if not request.user.has_perm("core.bypass_randomisation"):
context["randomised"] = True
return context

View File

@ -72,7 +72,7 @@
<div class="is-active" data-content="1">
<h4 class="subtitle is-4">Scrollback of {{ channel }} on {{ net }}{{ num }}</h4>
{% include 'modals/context_table.html' %}
{% if user.is_superuser and src == 'irc' %}
{% if user.is_superuser and source == 'irc' %}
<form method="PUT">
<article class="field has-addons">
<article class="control is-expanded has-icons-left">

View File

@ -102,7 +102,7 @@
<i class="fa-solid fa-circle"></i>
</span>
{% endif %}
{% if item.src == 'irc' %}
{% if item.source == 'irc' %}
<a
hx-headers='{"X-CSRFToken": "{{ csrf_token }}"}'
hx-post="{% url 'modal_drilldown' %}"
@ -156,7 +156,7 @@
hx-post="{% url 'modal_context_table' %}"
hx-vals='{"net": "{{ net }}",
"num": "{{ num }}",
"src": "{{ src }}",
"source": "{{ source }}",
"channel": "{{ channel }}",
"time": "{{ time }}",
"date": "{{ date }}",

View File

@ -245,7 +245,7 @@
hx-post="{% url 'modal_context' %}"
hx-vals='{"net": "{{ row.cells.net|escapejs }}",
"num": "{{ row.cells.num|escapejs }}",
"src": "{{ row.cells.src|escapejs }}",
"source": "{{ row.cells.src|escapejs }}",
"channel": "{{ row.cells.channel|escapejs }}",
"time": "{{ row.cells.time|escapejs }}",
"date": "{{ row.cells.date|escapejs }}",
@ -256,7 +256,7 @@
"dedup": "{{ params.dedup }}"}'
hx-target="#modals-here"
hx-trigger="click"
href="/?modal=context&net={{row.cells.net|escapejs}}&num={{row.cells.num|escapejs}}&src={{row.cells.src|escapejs}}&channel={{row.cells.channel|urlsafe}}&time={{row.cells.time|escapejs}}&date={{row.cells.date|escapejs}}&index={{params.index}}&type={{row.cells.type}}&mtype={{row.cells.mtype}}&nick={{row.cells.mtype|escapejs}}">
href="/?modal=context&net={{row.cells.net|escapejs}}&num={{row.cells.num|escapejs}}&source={{row.cells.src|escapejs}}&channel={{row.cells.channel|urlsafe}}&time={{row.cells.time|escapejs}}&date={{row.cells.date|escapejs}}&index={{params.index}}&type={{row.cells.type}}&mtype={{row.cells.mtype}}&nick={{row.cells.mtype|escapejs}}">
{{ row.cells.msg }}
</a>
</td>

View File

@ -216,10 +216,12 @@ def hash_lookup(user, data_dict, supplementary_data=None):
hash_list = SortedSet()
denied = []
for key, value in list(data_dict.items()):
print("DATA DICT", data_dict)
if "source" in data_dict:
if data_dict["source"] in settings.SAFE_SOURCES:
continue
if "src" in data_dict:
if data_dict["src"] in settings.SAFE_SOURCES:
continue
if supplementary_data:
if "source" in supplementary_data:
if supplementary_data["source"] in settings.SAFE_SOURCES:

View File

@ -292,7 +292,16 @@ class DrilldownContextModal(APIView):
nicks_sensitive = None
query = False
# Create the query params from the POST arguments
mandatory = ["net", "channel", "num", "src", "index", "nick", "type", "mtype"]
mandatory = [
"net",
"channel",
"num",
"source",
"index",
"nick",
"type",
"mtype",
]
invalid = [None, False, "", "None"]
query_params = {k: v for k, v in request.data.items() if v}
@ -306,8 +315,11 @@ class DrilldownContextModal(APIView):
# Lookup the hash values but don't disclose them to the user
if settings.HASHING:
SAFE_PARAMS = deepcopy(query_params)
hash_lookup(request.user, SAFE_PARAMS)
if query_params["source"] not in settings.SAFE_SOURCES:
SAFE_PARAMS = deepcopy(query_params)
hash_lookup(request.user, SAFE_PARAMS)
else:
SAFE_PARAMS = deepcopy(query_params)
else:
SAFE_PARAMS = query_params
@ -346,7 +358,7 @@ class DrilldownContextModal(APIView):
SAFE_PARAMS["sorting"] = "desc"
annotate = False
if query_params["src"] == "irc":
if query_params["source"] == "irc":
if query_params["type"] not in ["znc", "auth"]:
annotate = True
# Create the query with the context helper
@ -354,7 +366,7 @@ class DrilldownContextModal(APIView):
query_params["index"],
SAFE_PARAMS["net"],
SAFE_PARAMS["channel"],
query_params["src"],
query_params["source"],
SAFE_PARAMS["num"],
size,
type=type,
@ -374,13 +386,13 @@ class DrilldownContextModal(APIView):
return render(request, self.template_name, results)
if settings.HASHING: # we probably want to see the tokens
if query_params["src"] not in settings.SAFE_SOURCES:
if query_params["source"] not in settings.SAFE_SOURCES:
if not request.user.has_perm("core.bypass_hashing"):
for index, item in enumerate(results["object_list"]):
if "tokens" in item:
results["object_list"][index]["msg"] = results["object_list"][
index
].pop("tokens")
results["object_list"][index]["msg"] = results[
"object_list"
][index].pop("tokens")
# item["msg"] = item.pop("tokens")
# Make the time nicer
@ -390,7 +402,7 @@ class DrilldownContextModal(APIView):
context = {
"net": query_params["net"],
"channel": query_params["channel"],
"src": query_params["src"],
"source": query_params["source"],
"ts": f"{query_params['date']} {query_params['time']}",
"object_list": results["object_list"],
"time": query_params["time"],