Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Escape regex characters in object search pattern (#2676) #2904

Closed
wants to merge 1 commit into from
Closed

Escape regex characters in object search pattern (#2676) #2904

wants to merge 1 commit into from

Conversation

robinbanbury
Copy link

Fixes #2676

  • Add documentation.
  • Add tests.
  • Add a changelog entry.
  • Add your name in the contributors file.
  • If you changed the HTTP API, update the API_VERSION constant and add an API changelog entry in the docs
  • If you added a new configuration setting, update the kinto.tpl file with it.

@robinbanbury robinbanbury force-pushed the escape-regex-in-object-search-pattern branch from e17cdf2 to ee64b4a Compare November 4, 2021 14:08
leplatrem
leplatrem reviewed Nov 5, 2021
View reviewed changes
kinto/core/permission/memory.py
@@ -103,7 +103,7 @@ def get_accessible_objects(self, principals, bound_permissions=None, with_childr
else:
for pattern, perm in bound_permissions:
id_match = ".*" if with_children else "[^/]+"
regexp = re.compile(f"^{pattern.replace('*', id_match)}$")
regexp = re.compile(f"^{re.escape(pattern).replace('*', id_match)}$")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call! But I suspect that this is also escaping patterns that we use internally to match multiple objects.

I think this could be done around here instead maybe:

kinto/kinto/core/authorization.py

Lines 236 to 261 in f27fb5a

def get_permission_object_id(self, request, object_id=None):
"""Returns the permission object id for the current request.
In the nominal case, it is just the current URI without version prefix.
For plural endpoint, it is the related object URI using the specified
`object_id`.
See :meth:`kinto.core.resource.model.SharableModel` and
:meth:`kinto.core.authorization.RouteFactory.__init__`
"""
object_uri = utils.strip_uri_prefix(request.path)
if self.on_plural_endpoint and object_id is not None:
# With the current request on a plural endpoint, the object URI must
# be found out by inspecting the "plural" service and its sibling
# "object" service. (see `register_resource()`)
matchdict = {**request.matchdict, "id": object_id}
try:
object_uri = utils.instance_uri(request, self.resource_name, **matchdict)
object_uri = object_uri.replace("%2A", "*")
except KeyError:
# Maybe the resource has no single object endpoint.
# We consider that object URIs in permissions backend will
# be stored naively:
object_uri = f"{object_uri}/{object_id}"
return object_uri

@leplatrem
Copy link
Contributor

@robinbanbury are you willing to continue to work on this?

@robinbanbury
Copy link
Author

Hi @leplatrem - sorry, I thought I was going to have some more time to work on this, but haven't found time over the holidays. Unlikely I will now in the new year either, so probably better if I let this go. Apologies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leplatrem leplatrem leplatrem left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Kinto returns HTTP 500 on get_records endpoint (unbalanced parenthesis)
2 participants
@robinbanbury @leplatrem