XF/neptune
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add extra checks on hash lookups

Browse Source
This commit is contained in:
Mark Veidemanis
2022-08-27 12:20:36 +01:00
parent 850d00de19
commit c4f17dd5fb
3 changed files with 68 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
core/lib/opensearch.py
View File

@@ -6,6 +6,7 @@ from opensearchpy.exceptions import NotFoundError, RequestError
from core.lib.threshold import annotate_num_chans, annotate_num_users, annotate_online
from core.views.helpers import (
LookupDenied,
SearchDenied,
dedup_list,
encrypt_list,
@@ -309,12 +310,28 @@ def query_results(
query_created = False
# Lookup the hash values but don't disclose them to the user
denied = []
if lookup_hashes:
if settings.HASHING:
query_params = deepcopy(query_params)
hash_lookup(request.user, query_params)
denied_q = hash_lookup(request.user, query_params)
denied.extend(denied_q)
if tags:
hash_lookup(request.user, tags)
denied_t = hash_lookup(request.user, tags)
denied.extend(denied_t)
message = []
for x in denied:
if isinstance(x, SearchDenied):
message.append(f"Permission denied to search by {x.key}: {x.value}")
elif isinstance(x, LookupDenied):
message.append(f"Tag {x.key}: {x.value} not expected here. Nice try.")
if denied:
print("DENIED DICT", message)
message = [f"{i}" for i in message]
message = "\n".join(message)
message_class = "danger"
return {"message": message, "class": message_class}
if request.user.is_anonymous:
sizes = settings.OPENSEARCH_MAIN_SIZES_ANON
@@ -440,11 +457,6 @@ def query_results(
# search_query["query"]["bool"] = {"must": []}
for item in add_bool:
k, v = list(item.items())[0]
if isinstance(v, SearchDenied):
message = f"Access denied: search by protected field {k}: {v.value}"
message_class = "danger"
return {"message": message, "class": message_class}
search_query["query"]["bool"]["must"].append({"match_phrase": item})
if add_top:
for item in add_top: