Bypass obfuscation for safe sources

2 years ago · ba3124bd69
parent 38b712ac9a
commit ba3124bd69
6 changed files with 70 additions and 46 deletions
--- a/core/lib/opensearch.py
+++ b/core/lib/opensearch.py
@ -351,6 +351,7 @@ def query_results(
                return {"message": message, "class": message_class}
        else:
            size = 20
+    source = None
    if "source" in query_params:
        source = query_params["source"]
        if source not in settings.OPENSEARCH_MAIN_SOURCES:
@ -378,30 +379,36 @@ def query_results(

    if date_query:
        if settings.DELAY_RESULTS:
-            if request.user.has_perm("core.bypass_delay"):
-                add_top.append(range_query)
-            else:
-                delay_as_ts = datetime.now() - timedelta(days=settings.DELAY_DURATION)
-                lt_as_ts = datetime.strptime(
-                    range_query["range"]["ts"]["lt"], "%Y-%m-%dT%H:%MZ"
-                )
-                if lt_as_ts > delay_as_ts:
-                    range_query["range"]["ts"]["lt"] = f"now-{settings.DELAY_DURATION}d"
-                add_top.append(range_query)
+            if source not in settings.SAFE_SOURCES:
+                if request.user.has_perm("core.bypass_delay"):
+                    add_top.append(range_query)
+                else:
+                    delay_as_ts = datetime.now() - timedelta(
+                        days=settings.DELAY_DURATION
+                    )
+                    lt_as_ts = datetime.strptime(
+                        range_query["range"]["ts"]["lt"], "%Y-%m-%dT%H:%MZ"
+                    )
+                    if lt_as_ts > delay_as_ts:
+                        range_query["range"]["ts"][
+                            "lt"
+                        ] = f"now-{settings.DELAY_DURATION}d"
+                    add_top.append(range_query)
        else:
            add_top.append(range_query)
    else:
        if settings.DELAY_RESULTS:
-            if not request.user.has_perm("core.bypass_delay"):
-                range_query = {
-                    "range": {
-                        "ts": {
-                            # "gt": ,
-                            "lt": f"now-{settings.DELAY_DURATION}d",
+            if source not in settings.SAFE_SOURCES:
+                if not request.user.has_perm("core.bypass_delay"):
+                    range_query = {
+                        "range": {
+                            "ts": {
+                                # "gt": ,
+                                "lt": f"now-{settings.DELAY_DURATION}d",
+                            }
                        }
                    }
-                }
-                add_top.append(range_query)
+                    add_top.append(range_query)

    if "sorting" in query_params:
        sorting = query_params["sorting"]
@ -571,17 +578,18 @@ def query_results(
            dedup_fields = ["msg", "nick", "ident", "host", "net", "channel"]
        results_parsed = dedup_list(results_parsed, dedup_fields)

-    if settings.ENCRYPTION:
-        encrypt_list(request.user, results_parsed, settings.ENCRYPTION_KEY)
+    if source not in settings.SAFE_SOURCES:
+        if settings.ENCRYPTION:
+            encrypt_list(request.user, results_parsed, settings.ENCRYPTION_KEY)

-    if settings.HASHING:
-        hash_list(request.user, results_parsed)
+        if settings.HASHING:
+            hash_list(request.user, results_parsed)

-    if settings.OBFUSCATION:
-        obfuscate_list(request.user, results_parsed)
+        if settings.OBFUSCATION:
+            obfuscate_list(request.user, results_parsed)

-    if settings.RANDOMISATION:
-        randomise_list(request.user, results_parsed)
+        if settings.RANDOMISATION:
+            randomise_list(request.user, results_parsed)

    # process_list(reqults)

@ -596,11 +604,13 @@ def query_results(
    if query:
        context["query"] = query
    if settings.DELAY_RESULTS:
-        if not request.user.has_perm("core.bypass_delay"):
-            context["delay"] = settings.DELAY_DURATION
+        if source not in settings.SAFE_SOURCES:
+            if not request.user.has_perm("core.bypass_delay"):
+                context["delay"] = settings.DELAY_DURATION
    if settings.RANDOMISATION:
-        if not request.user.has_perm("core.bypass_randomisation"):
-            context["randomised"] = True
+        if source not in settings.SAFE_SOURCES:
+            if not request.user.has_perm("core.bypass_randomisation"):
+                context["randomised"] = True
    return context


--- a/core/templates/modals/context.html
+++ b/core/templates/modals/context.html
@ -72,7 +72,7 @@
        <div class="is-active" data-content="1">
          <h4 class="subtitle is-4">Scrollback of {{ channel }} on {{ net }}{{ num }}</h4>
          {% include 'modals/context_table.html' %}
-          {% if user.is_superuser and src == 'irc' %}
+          {% if user.is_superuser and source == 'irc' %}
            <form method="PUT">
              <article class="field has-addons">
                <article class="control is-expanded has-icons-left">
--- a/core/templates/modals/context_table.html
+++ b/core/templates/modals/context_table.html
@ -102,7 +102,7 @@
                        <i class="fa-solid fa-circle"></i>
                      </span>
                    {% endif %}
-                    {% if item.src == 'irc' %}
+                    {% if item.source == 'irc' %}
                      <a
                        hx-headers='{"X-CSRFToken": "{{ csrf_token }}"}'
                        hx-post="{% url 'modal_drilldown' %}"
@ -156,7 +156,7 @@
      hx-post="{% url 'modal_context_table' %}"
      hx-vals='{"net": "{{ net }}",
               "num": "{{ num }}",
-               "src": "{{ src }}",
+               "source": "{{ source }}",
               "channel": "{{ channel }}",
               "time": "{{ time }}",
               "date": "{{ date }}",
--- a/core/templates/ui/drilldown/table_results_partial.html
+++ b/core/templates/ui/drilldown/table_results_partial.html
@ -245,7 +245,7 @@
                                  hx-post="{% url 'modal_context' %}"
                                  hx-vals='{"net": "{{ row.cells.net|escapejs }}",
                                           "num": "{{ row.cells.num|escapejs }}",
-                                           "src": "{{ row.cells.src|escapejs }}",
+                                           "source": "{{ row.cells.src|escapejs }}",
                                           "channel": "{{ row.cells.channel|escapejs }}",
                                           "time": "{{ row.cells.time|escapejs }}",
                                           "date": "{{ row.cells.date|escapejs }}",
@ -256,7 +256,7 @@
                                           "dedup": "{{ params.dedup }}"}'
                                  hx-target="#modals-here" 
                                  hx-trigger="click"
-                                  href="/?modal=context&net={{row.cells.net|escapejs}}&num={{row.cells.num|escapejs}}&src={{row.cells.src|escapejs}}&channel={{row.cells.channel|urlsafe}}&time={{row.cells.time|escapejs}}&date={{row.cells.date|escapejs}}&index={{params.index}}&type={{row.cells.type}}&mtype={{row.cells.mtype}}&nick={{row.cells.mtype|escapejs}}">
+                                  href="/?modal=context&net={{row.cells.net|escapejs}}&num={{row.cells.num|escapejs}}&source={{row.cells.src|escapejs}}&channel={{row.cells.channel|urlsafe}}&time={{row.cells.time|escapejs}}&date={{row.cells.date|escapejs}}&index={{params.index}}&type={{row.cells.type}}&mtype={{row.cells.mtype}}&nick={{row.cells.mtype|escapejs}}">
                                  {{ row.cells.msg }}
                                </a>
                              </td>
--- a/core/views/helpers.py
+++ b/core/views/helpers.py
@ -216,10 +216,12 @@ def hash_lookup(user, data_dict, supplementary_data=None):
    hash_list = SortedSet()
    denied = []
    for key, value in list(data_dict.items()):
-        print("DATA DICT", data_dict)
        if "source" in data_dict:
            if data_dict["source"] in settings.SAFE_SOURCES:
                continue
+        if "src" in data_dict:
+            if data_dict["src"] in settings.SAFE_SOURCES:
+                continue
        if supplementary_data:
            if "source" in supplementary_data:
                if supplementary_data["source"] in settings.SAFE_SOURCES:
--- a/core/views/ui/drilldown.py
+++ b/core/views/ui/drilldown.py
@ -292,7 +292,16 @@ class DrilldownContextModal(APIView):
        nicks_sensitive = None
        query = False
        # Create the query params from the POST arguments
-        mandatory = ["net", "channel", "num", "src", "index", "nick", "type", "mtype"]
+        mandatory = [
+            "net",
+            "channel",
+            "num",
+            "source",
+            "index",
+            "nick",
+            "type",
+            "mtype",
+        ]
        invalid = [None, False, "—", "None"]

        query_params = {k: v for k, v in request.data.items() if v}
@ -306,8 +315,11 @@ class DrilldownContextModal(APIView):

        # Lookup the hash values but don't disclose them to the user
        if settings.HASHING:
-            SAFE_PARAMS = deepcopy(query_params)
-            hash_lookup(request.user, SAFE_PARAMS)
+            if query_params["source"] not in settings.SAFE_SOURCES:
+                SAFE_PARAMS = deepcopy(query_params)
+                hash_lookup(request.user, SAFE_PARAMS)
+            else:
+                SAFE_PARAMS = deepcopy(query_params)
        else:
            SAFE_PARAMS = query_params

@ -346,7 +358,7 @@ class DrilldownContextModal(APIView):
        SAFE_PARAMS["sorting"] = "desc"

        annotate = False
-        if query_params["src"] == "irc":
+        if query_params["source"] == "irc":
            if query_params["type"] not in ["znc", "auth"]:
                annotate = True
        # Create the query with the context helper
@ -354,7 +366,7 @@ class DrilldownContextModal(APIView):
            query_params["index"],
            SAFE_PARAMS["net"],
            SAFE_PARAMS["channel"],
-            query_params["src"],
+            query_params["source"],
            SAFE_PARAMS["num"],
            size,
            type=type,
@ -374,13 +386,13 @@ class DrilldownContextModal(APIView):
            return render(request, self.template_name, results)

        if settings.HASHING:  # we probably want to see the tokens
-            if query_params["src"] not in settings.SAFE_SOURCES:
+            if query_params["source"] not in settings.SAFE_SOURCES:
                if not request.user.has_perm("core.bypass_hashing"):
                    for index, item in enumerate(results["object_list"]):
                        if "tokens" in item:
-                            results["object_list"][index]["msg"] = results["object_list"][
-                                index
-                            ].pop("tokens")
+                            results["object_list"][index]["msg"] = results[
+                                "object_list"
+                            ][index].pop("tokens")
                            # item["msg"] = item.pop("tokens")

        # Make the time nicer
@ -390,7 +402,7 @@ class DrilldownContextModal(APIView):
        context = {
            "net": query_params["net"],
            "channel": query_params["channel"],
-            "src": query_params["src"],
+            "source": query_params["source"],
            "ts": f"{query_params['date']} {query_params['time']}",
            "object_list": results["object_list"],
            "time": query_params["time"],