Here's a vulnerable place:
|
if value and "links" in value: |
For example you have a schema
class UserSchema(Schema):
class Meta:
model = User
type_ = "user"
self_view = "user_detail"
self_view_kwargs = {"id": "<id>"}
self_view_many = "user_list"
ordered = True
group = Relationship(
nested="GroupSchema",
attribute="_relationship_group_id_",
related_view="group_detail",
related_view_kwargs={"id": "<group_id>"},
schema="GroupSchema",
type_="group",
)And try to filter it using invalid filter:
[
{
"name": "group",
"op": "eq",
"val": 42
}
]It raises this:
File "/.../src/combojsonapi/combojsonapi/utils/marshmallow_fields.py", line 56, in deserialize
if value and "links" in value:
TypeError: argument of type 'int' is not iterable
And a valid shorthand for it (which works well) is
[
{
"name": "group.id",
"op": "eq",
"val": 42
}
]I think that this variant has to be working too, but it makes invalid filtering -- returns objects, that should not be here
https://flask-rest-jsonapi.readthedocs.io/en/latest/filtering.html#
[
{
"name": "group",
"op": "any",
"val": {
"name": "id",
"op": "eq",
"val": 42
}
}
]I think that we have to add proper checks for data and raise InvalidFilters
Here's a vulnerable place:
combojsonapi/combojsonapi/utils/marshmallow_fields.py
Line 56 in 91dcbf5
For example you have a schema
And try to filter it using invalid filter:
[ { "name": "group", "op": "eq", "val": 42 } ]It raises this:
And a valid shorthand for it (which works well) is
[ { "name": "group.id", "op": "eq", "val": 42 } ]I think that this variant has to be working too, but it makes invalid filtering -- returns objects, that should not be here
https://flask-rest-jsonapi.readthedocs.io/en/latest/filtering.html#
[ { "name": "group", "op": "any", "val": { "name": "id", "op": "eq", "val": 42 } } ]I think that we have to add proper checks for
dataand raiseInvalidFilters