From ee64b4a2e08f5e59b2556bc606c3982d80b712a4 Mon Sep 17 00:00:00 2001 From: Robin Banbury Date: Thu, 4 Nov 2021 08:14:03 +0000 Subject: [PATCH] Escape regex characters in object search pattern (#2676) --- kinto/core/permission/memory.py | 2 +- tests/core/resource/test_object_permissions.py | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/kinto/core/permission/memory.py b/kinto/core/permission/memory.py index afcb3964c..9edc04b48 100644 --- a/kinto/core/permission/memory.py +++ b/kinto/core/permission/memory.py @@ -103,7 +103,7 @@ def get_accessible_objects(self, principals, bound_permissions=None, with_childr else: for pattern, perm in bound_permissions: id_match = ".*" if with_children else "[^/]+" - regexp = re.compile(f"^{pattern.replace('*', id_match)}$") + regexp = re.compile(f"^{re.escape(pattern).replace('*', id_match)}$") for key, value in self._store.items(): if key.endswith(perm): object_id = key.split(":")[1] diff --git a/tests/core/resource/test_object_permissions.py b/tests/core/resource/test_object_permissions.py index f3b3db9ad..21a3e3c67 100644 --- a/tests/core/resource/test_object_permissions.py +++ b/tests/core/resource/test_object_permissions.py @@ -76,6 +76,20 @@ def test_permissions_are_hidden_if_user_has_only_read_permission(self): self.assertEqual(result["permissions"], {}) +class GetObjectsPermissionTest(PermissionTest): + def setUp(self): + super().setUp() + self.object_id = ")EFg9=)%5E(M~%2037" + self.object_uri = "/articles/{}".format(self.object_id) + self.perm = "read" + self.permission.add_principal_to_ace(self.object_uri, self.perm, "account:readonly") + + def test_get_objects_permissions_escapes_regex_chars_in_id(self): + principals = self.permission.get_object_permission_principals(self.object_uri, self.perm) + result = self.permission.get_accessible_objects(principals, [(self.object_uri, self.perm)]) + self.assertEqual(result, {self.object_uri: {self.perm}}) + + class SpecifyObjectPermissionTest(PermissionTest): def setUp(self): super().setUp()