Harden security

2026-03-05 05:42:19 +00:00
parent 06735bdfb1
commit 438e561da0
75 changed files with 6260 additions and 278 deletions
--- a/core/views/signal.py
+++ b/core/views/signal.py
@@ -17,6 +17,28 @@ from core.presence import latest_state_for_people
 from core.views.manage.permissions import SuperUserRequiredMixin


+def _safe_json_list(text_value):
+    try:
+        payload = orjson.loads(text_value)
+    except orjson.JSONDecodeError:
+        return []
+    return payload if isinstance(payload, list) else []
+
+
+def _sanitize_signal_rows(rows):
+    safe_rows = []
+    for row in rows:
+        if not isinstance(row, dict):
+            continue
+        safe_row = {}
+        for key, value in row.items():
+            if isinstance(key, str) and len(key) <= 100:
+                if isinstance(value, (str, int, float, bool)) or value is None:
+                    safe_row[key] = value
+        safe_rows.append(safe_row)
+    return safe_rows
+
+
 class CustomObjectRead(ObjectRead):
    def post(self, request, *args, **kwargs):
        self.request = request
@@ -171,21 +193,28 @@ class SignalContactsList(SuperUserRequiredMixin, ObjectList):
    list_url_args = ["type", "pk"]

    def get_queryset(self, *args, **kwargs):
-        # url = signal:8080/v1/accounts
-        # /v1/configuration/{number}/settings
-        # /v1/identities/{number}
-        # /v1/contacts/{number}
-        # response = requests.get(
-        #     f"http://signal:8080/v1/configuration/{self.kwargs['pk']}/settings"
-        # )
-        # config = orjson.loads(response.text)
-
        base = getattr(settings, "SIGNAL_HTTP_URL", "http://signal:8080").rstrip("/")
-        response = requests.get(f"{base}/v1/identities/{self.kwargs['pk']}")
-        identities = orjson.loads(response.text)
+        try:
+            response = requests.get(
+                f"{base}/v1/identities/{self.kwargs['pk']}", timeout=15
+            )
+            response.raise_for_status()
+            identities = _sanitize_signal_rows(response.json() or [])
+        except requests.RequestException:
+            identities = []
+        except ValueError:
+            identities = []

-        response = requests.get(f"{base}/v1/contacts/{self.kwargs['pk']}")
-        contacts = orjson.loads(response.text)
+        try:
+            response = requests.get(
+                f"{base}/v1/contacts/{self.kwargs['pk']}", timeout=15
+            )
+            response.raise_for_status()
+            contacts = _sanitize_signal_rows(response.json() or [])
+        except requests.RequestException:
+            contacts = []
+        except ValueError:
+            contacts = []

        # add identities to contacts
        for contact in contacts: