fix: security warnings related to information exposure and regex vali…

…dations
makeplane · Jan 8, 2024 · 8a5cbff · 8a5cbff
1 parent 69b1d0a
commit 8a5cbff
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 17 deletions.
diff --git a/apiserver/plane/api/views/base.py b/apiserver/plane/api/views/base.py
@@ -104,15 +104,14 @@ def handle_exception(self, exc):
                 )
 
             if isinstance(e, ObjectDoesNotExist):
-                model_name = str(exc).split(" matching query does not exist.")[0]
                 return Response(
-                    {"error": f"{model_name} does not exist."},
+                    {"error": f"The required object does not exist."},
                     status=status.HTTP_404_NOT_FOUND,
                 )
 
             if isinstance(e, KeyError):
                 return Response(
-                    {"error": f"key {e} does not exist"},
+                    {"error": f" The required key does not exist."},
                     status=status.HTTP_400_BAD_REQUEST,
                 )
 

diff --git a/apiserver/plane/app/views/base.py b/apiserver/plane/app/views/base.py
@@ -112,16 +112,15 @@ def handle_exception(self, exc):
                 )
 
             if isinstance(e, ObjectDoesNotExist):
-                model_name = str(exc).split(" matching query does not exist.")[0]
                 return Response(
-                    {"error": f"{model_name} does not exist."},
+                    {"error": f"The required object does not exist."},
                     status=status.HTTP_404_NOT_FOUND,
                 )
 
             if isinstance(e, KeyError):
                 capture_exception(e)
                 return Response(
-                    {"error": f"key {e} does not exist"},
+                    {"error": f"The required key does not exist."},
                     status=status.HTTP_400_BAD_REQUEST,
                 )
 
@@ -201,14 +200,13 @@ def handle_exception(self, exc):
                 )
 
             if isinstance(e, ObjectDoesNotExist):
-                model_name = str(exc).split(" matching query does not exist.")[0]
                 return Response(
-                    {"error": f"{model_name} does not exist."},
+                    {"error": f"The required object does not exist."},
                     status=status.HTTP_404_NOT_FOUND,
                 )
 
             if isinstance(e, KeyError):
-                return Response({"error": f"key {e} does not exist"}, status=status.HTTP_400_BAD_REQUEST)
+                return Response({"error": f"The required key does not exist."}, status=status.HTTP_400_BAD_REQUEST)
 
             if settings.DEBUG:
                 print(e)

diff --git a/apiserver/plane/space/views/base.py b/apiserver/plane/space/views/base.py
@@ -85,14 +85,14 @@ def handle_exception(self, exc):
             if isinstance(e, ObjectDoesNotExist):
                 model_name = str(exc).split(" matching query does not exist.")[0]
                 return Response(
-                    {"error": f"{model_name} does not exist."},
+                    {"error": f"The required object does not exist."},
                     status=status.HTTP_404_NOT_FOUND,
                 )
 
             if isinstance(e, KeyError):
                 capture_exception(e)
                 return Response(
-                    {"error": f"key {e} does not exist"},
+                    {"error": "The required key does not exist."},
                     status=status.HTTP_400_BAD_REQUEST,
                 )
 
@@ -172,14 +172,13 @@ def handle_exception(self, exc):
                 )
 
             if isinstance(e, ObjectDoesNotExist):
-                model_name = str(exc).split(" matching query does not exist.")[0]
                 return Response(
-                    {"error": f"{model_name} does not exist."},
+                    {"error": f"The required object does not exist."},
                     status=status.HTTP_404_NOT_FOUND,
                 )
 
             if isinstance(e, KeyError):
-                return Response({"error": f"key {e} does not exist"}, status=status.HTTP_400_BAD_REQUEST)
+                return Response({"error": "The required key does not exist."}, status=status.HTTP_400_BAD_REQUEST)
 
             if settings.DEBUG:
                 print(e)

diff --git a/apiserver/plane/utils/issue_search.py b/apiserver/plane/utils/issue_search.py
@@ -12,8 +12,8 @@ def search_issues(query, queryset):
     fields = ["name", "sequence_id"]
     q = Q()
     for field in fields:
-        if field == "sequence_id":
-            sequences = re.findall(r"\d+\.\d+|\d+", query)
+        if field == "sequence_id" and len(query) <= 20:
+            sequences = re.findall(r"[A-Za-z0-9]{1,12}-\d+", query)
             for sequence_id in sequences:
                 q |= Q(**{"sequence_id": sequence_id})
         else:

diff --git a/apiserver/plane/utils/paginator.py b/apiserver/plane/utils/paginator.py
@@ -188,7 +188,7 @@ def paginate(
         try:
             cursor_result = paginator.get_result(limit=per_page, cursor=input_cursor)
         except BadPaginationError as e:
-            raise ParseError(detail=str(e))
+            raise ParseError(detail="Error in parsing")
 
         # Serialize result according to the on_result function
         if on_results: