Escape regex characters in object search pattern (#2676)

Kinto · Nov 4, 2021 · e17cdf2 · e17cdf2
1 parent cae6737
commit e17cdf2
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/kinto/core/permission/memory.py b/kinto/core/permission/memory.py
@@ -103,7 +103,7 @@ def get_accessible_objects(self, principals, bound_permissions=None, with_childr
         else:
             for pattern, perm in bound_permissions:
                 id_match = ".*" if with_children else "[^/]+"
-                regexp = re.compile(f"^{pattern.replace('*', id_match)}$")
+                regexp = re.compile(f"^{re.escape(pattern).replace('*', id_match)}$")
                 for key, value in self._store.items():
                     if key.endswith(perm):
                         object_id = key.split(":")[1]

diff --git a/tests/core/resource/test_object_permissions.py b/tests/core/resource/test_object_permissions.py
@@ -76,6 +76,20 @@ def test_permissions_are_hidden_if_user_has_only_read_permission(self):
         self.assertEqual(result["permissions"], {})
 
 
+class GetObjectsPermissionTest(PermissionTest):
+    def setUp(self):
+        super().setUp()
+        self.object_id = ')EFg9=)%5E(M~%2037'
+        self.object_uri = "/articles/{}".format(self.object_id)
+        self.perm = "read"
+        self.permission.add_principal_to_ace(self.object_uri, self.perm, "account:readonly")
+
+    def test_get_objects_permissions_escapes_regex_chars_in_id(self):
+        principals = self.permission.get_object_permission_principals(self.object_uri, self.perm)
+        result = self.permission.get_accessible_objects(principals, [(self.object_uri, self.perm)])
+        self.assertEqual(result, {self.object_uri: {self.perm}})
+
+
 class SpecifyObjectPermissionTest(PermissionTest):
     def setUp(self):
         super().setUp()