Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* use shims for API view inheritation * Add mixin for input sanitation * fix clean operation to fix all string values * Also clean up dicts this is to future-proof this function * Update docstirng * proof custom methods against XSS through authenticated users
- Loading branch information
Showing
12 changed files
with
310 additions
and
178 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
"""Mixins for (API) views in the whole project.""" | ||
|
||
from bleach import clean | ||
from rest_framework import generics, status | ||
from rest_framework.response import Response | ||
|
||
|
||
class CleanMixin(): | ||
"""Model mixin class which cleans inputs.""" | ||
|
||
# Define a map of fields avaialble for import | ||
SAFE_FIELDS = {} | ||
|
||
def create(self, request, *args, **kwargs): | ||
"""Override to clean data before processing it.""" | ||
serializer = self.get_serializer(data=self.clean_data(request.data)) | ||
serializer.is_valid(raise_exception=True) | ||
self.perform_create(serializer) | ||
headers = self.get_success_headers(serializer.data) | ||
return Response(serializer.data, status=status.HTTP_201_CREATED, headers=headers) | ||
|
||
def update(self, request, *args, **kwargs): | ||
"""Override to clean data before processing it.""" | ||
partial = kwargs.pop('partial', False) | ||
instance = self.get_object() | ||
serializer = self.get_serializer(instance, data=self.clean_data(request.data), partial=partial) | ||
serializer.is_valid(raise_exception=True) | ||
self.perform_update(serializer) | ||
|
||
if getattr(instance, '_prefetched_objects_cache', None): | ||
# If 'prefetch_related' has been applied to a queryset, we need to | ||
# forcibly invalidate the prefetch cache on the instance. | ||
instance._prefetched_objects_cache = {} | ||
|
||
return Response(serializer.data) | ||
|
||
def clean_data(self, data: dict) -> dict: | ||
"""Clean / snatize data. | ||
This uses mozillas bleach under the hood to disable certain html tags by | ||
encoding them - this leads to script tags etc. to not work. | ||
The results can be longer then the input; might make some character combinations | ||
`ugly`. Prevents XSS on the server-level. | ||
Args: | ||
data (dict): Data that should be sanatized. | ||
Returns: | ||
dict: Profided data sanatized; still in the same order. | ||
""" | ||
clean_data = {} | ||
for k, v in data.items(): | ||
if isinstance(v, str): | ||
ret = clean(v) | ||
elif isinstance(v, dict): | ||
ret = self.clean_data(v) | ||
else: | ||
ret = v | ||
clean_data[k] = ret | ||
return clean_data | ||
|
||
|
||
class ListAPI(generics.ListAPIView): | ||
"""View for list API.""" | ||
|
||
|
||
class ListCreateAPI(CleanMixin, generics.ListCreateAPIView): | ||
"""View for list and create API.""" | ||
|
||
|
||
class CreateAPI(CleanMixin, generics.CreateAPIView): | ||
"""View for create API.""" | ||
|
||
|
||
class RetrieveAPI(generics.RetrieveAPIView): | ||
"""View for retreive API.""" | ||
pass | ||
|
||
|
||
class RetrieveUpdateAPI(CleanMixin, generics.RetrieveUpdateAPIView): | ||
"""View for retrieve and update API.""" | ||
pass | ||
|
||
|
||
class RetrieveUpdateDestroyAPI(CleanMixin, generics.RetrieveUpdateDestroyAPIView): | ||
"""View for retrieve, update and destroy API.""" | ||
|
||
|
||
class UpdateAPI(CleanMixin, generics.UpdateAPIView): | ||
"""View for update API.""" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.