Add extra checks on hash lookups

2022-08-27 12:20:36 +01:00
parent 850d00de19
commit c4f17dd5fb
3 changed files with 68 additions and 14 deletions
--- a/core/views/helpers.py
+++ b/core/views/helpers.py
@@ -11,7 +11,14 @@ from core import r


 class SearchDenied:
-    def __init__(self, value):
+    def __init__(self, key, value):
+        self.key = key
+        self.value = value
+
+
+class LookupDenied:
+    def __init__(self, key, value):
+        self.key = key
        self.value = value


@@ -84,7 +91,7 @@ def obfuscate_list(user, data):
    """
    Obfuscate data in a list of dictionaries.
    """
-    if user.has_perm("core.bypass_obfuscation"):
+    if user.has_perm("bypass_obfuscation"):
        return
    for index, item in enumerate(data):
        for key, value in item.items():
@@ -123,7 +130,7 @@ def hash_list(user, data, hash_keys=False):
    """
    Hash a list of dicts or a list with SipHash42.
    """
-    if user.has_perm("core.bypass_hashing"):
+    if user.has_perm("bypass_hashing"):
        return
    cache = "cache.hash"
    hash_table = {}
@@ -172,7 +179,12 @@ def hash_list(user, data, hash_keys=False):
 def hash_lookup(user, data_dict):
    cache = "cache.hash"
    hash_list = SortedSet()
+    denied = []
    for key, value in list(data_dict.items()):
+        if key in settings.SEARCH_FIELDS_DENY:
+            if not user.has_perm("bypass_hashing"):
+                data_dict[key] = SearchDenied(key=key, value=data_dict[key])
+                denied.append(data_dict[key])
        if (
            key not in settings.WHITELIST_FIELDS
            and key not in settings.NO_OBFUSCATE_PARAMS
@@ -193,8 +205,15 @@ def hash_lookup(user, data_dict):
            if not hashes:
                # Otherwise the user could inject plaintext search queries
                if not user.has_perm("bypass_hashing"):
-                    data_dict[key] = SearchDenied(value=data_dict[key])
-                    # del data_dict[key]
+                    data_dict[key] = SearchDenied(key=key, value=data_dict[key])
+                    denied.append(data_dict[key])
+                    continue
+            else:
+                # There are hashes here but there shouldn't be!
+                if key in settings.TAG_SEARCH_DENY:
+                    data_dict[key] = LookupDenied(key=key, value=data_dict[key])
+                    denied.append(data_dict[key])
+                    continue

            for hash in hashes:
                hash_list.add(hash)
@@ -220,10 +239,11 @@ def hash_lookup(user, data_dict):
                        for k2, v2 in data_dict[key].items():
                            if hash in v2:
                                data_dict[key][k2] = v2.replace(f"{hash}", total[hash])
+    return denied


 def encrypt_list(user, data, secret):
-    if user.has_perm("core.bypass_encryption"):
+    if user.has_perm("bypass_encryption"):
        return
    cipher = Cipher(algorithms.AES(secret), ECB())
    for index, item in enumerate(data):