-
Notifications
You must be signed in to change notification settings - Fork 421
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Escape regex characters in object search pattern (#2676) #2904
Escape regex characters in object search pattern (#2676) #2904
Conversation
e17cdf2
to
ee64b4a
Compare
@@ -103,7 +103,7 @@ def get_accessible_objects(self, principals, bound_permissions=None, with_childr | |||
else: | |||
for pattern, perm in bound_permissions: | |||
id_match = ".*" if with_children else "[^/]+" | |||
regexp = re.compile(f"^{pattern.replace('*', id_match)}$") | |||
regexp = re.compile(f"^{re.escape(pattern).replace('*', id_match)}$") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good call! But I suspect that this is also escaping patterns that we use internally to match multiple objects.
I think this could be done around here instead maybe:
kinto/kinto/core/authorization.py
Lines 236 to 261 in f27fb5a
def get_permission_object_id(self, request, object_id=None): | |
"""Returns the permission object id for the current request. | |
In the nominal case, it is just the current URI without version prefix. | |
For plural endpoint, it is the related object URI using the specified | |
`object_id`. | |
See :meth:`kinto.core.resource.model.SharableModel` and | |
:meth:`kinto.core.authorization.RouteFactory.__init__` | |
""" | |
object_uri = utils.strip_uri_prefix(request.path) | |
if self.on_plural_endpoint and object_id is not None: | |
# With the current request on a plural endpoint, the object URI must | |
# be found out by inspecting the "plural" service and its sibling | |
# "object" service. (see `register_resource()`) | |
matchdict = {**request.matchdict, "id": object_id} | |
try: | |
object_uri = utils.instance_uri(request, self.resource_name, **matchdict) | |
object_uri = object_uri.replace("%2A", "*") | |
except KeyError: | |
# Maybe the resource has no single object endpoint. | |
# We consider that object URIs in permissions backend will | |
# be stored naively: | |
object_uri = f"{object_uri}/{object_id}" | |
return object_uri |
@robinbanbury are you willing to continue to work on this? |
Hi @leplatrem - sorry, I thought I was going to have some more time to work on this, but haven't found time over the holidays. Unlikely I will now in the new year either, so probably better if I let this go. Apologies. |
Fixes #2676
kinto.tpl
file with it.