Skip to content

Commit b076c57

Browse files
nicolaiaroccinicolaiarocci
committed
Merge branch 'hotfix_0.7.5'
2 parents b608e1b + defdccd commit b076c57

File tree

4 files changed

+28
-4
lines changed

4 files changed

+28
-4
lines changed

AUTHORS

+2
Original file line numberDiff line numberDiff line change
@@ -107,6 +107,8 @@ Patches and Contributions
107107
- Mattias Lundberg
108108
- Mayur Dhamanwala
109109
- Mikael Berg
110+
- Moritz Schneider
111+
- Moritz Schneider
110112
- Mugur Rus
111113
- Nathan Reynolds
112114
- Niall Donegan

CHANGES

+9
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,15 @@ Breaking Changes
7777
Stable
7878
------
7979

80+
Version 0.7.5
81+
~~~~~~~~~~~~~
82+
83+
Released on 4 December, 2017
84+
85+
- Fix: A query was not fully traversed in the sanitization. Therefore the
86+
blacklist for mongo wueries could be bypassed, allowing for dangerous
87+
``$where`` queries (Moritz Schneider).
88+
8089
Version 0.7.4
8190
~~~~~~~~~~~~~
8291

eve/io/mongo/mongo.py

+8-4
Original file line numberDiff line numberDiff line change
@@ -817,10 +817,14 @@ def sanitize_keys(spec):
817817
'Query contains operators banned in MONGO_QUERY_BLACKLIST'
818818
))
819819

820-
sanitize_keys(spec)
821-
for value in spec.values():
822-
if isinstance(value, dict):
823-
sanitize_keys(value)
820+
if isinstance(spec, dict):
821+
sanitize_keys(spec)
822+
for value in spec.values():
823+
self._sanitize(value)
824+
if isinstance(spec, list):
825+
for value in spec:
826+
self._sanitize(value)
827+
824828
return spec
825829

826830
def _wc(self, resource):

eve/tests/methods/get.py

+9
Original file line numberDiff line numberDiff line change
@@ -205,6 +205,15 @@ def test_get_mongo_query_blacklist(self):
205205
_, status = self.get(self.known_resource, '?where=%s' % where)
206206
self.assert400(status)
207207

208+
def test_get_mongo_query_blacklist_nested(self):
209+
where = '{"$or": [{"$where": "this.ref == ''%s''"}]}' % self.item_name
210+
_, status = self.get(self.known_resource, '?where=%s' % where)
211+
self.assert400(status)
212+
213+
where = '{"$or": [{"ref": {"$regex": "%s"}}]}' % self.item_name
214+
_, status = self.get(self.known_resource, '?where=%s' % where)
215+
self.assert400(status)
216+
208217
def test_get_where_mongo_objectid_as_string(self):
209218
where = '{"tid": "%s"}' % self.item_tid
210219
response, status = self.get(self.known_resource, '?where=%s' % where)

0 commit comments

Comments
 (0)