Skip to content

Commit

Permalink
Mark passwords as sensitive variables #11652
Browse files Browse the repository at this point in the history
  • Loading branch information
jacobtylerwalls committed Nov 26, 2024
1 parent 06ed15a commit 233f188
Show file tree
Hide file tree
Showing 4 changed files with 55 additions and 17 deletions.
2 changes: 2 additions & 0 deletions arches/app/views/api/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
from django.core.exceptions import ObjectDoesNotExist, ValidationError
from django.core.files.base import ContentFile
from django.views.decorators.csrf import csrf_exempt
from django.views.decorators.debug import sensitive_variables
from django.utils import translation
from django.utils.decorators import method_decorator
from django_ratelimit.decorators import ratelimit
Expand Down Expand Up @@ -1128,6 +1129,7 @@ def get(self, request, plugin_id=None):


class SearchExport(View):
@sensitive_variables("user_cred")
@method_decorator(
ratelimit(
key="header:http-authorization", rate=settings.RATE_LIMIT, block=False
Expand Down
7 changes: 6 additions & 1 deletion arches/app/views/api/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
from django.contrib.auth import authenticate, login, logout
from django.utils.decorators import method_decorator
from django.utils.translation import gettext as _
from django.views.decorators.debug import sensitive_variables, sensitive_post_parameters
from django_ratelimit.decorators import ratelimit

from arches.app.models.system_settings import settings
Expand All @@ -18,7 +19,11 @@ class Login(LoginView, APIBase):
http_method_names = ["post"]

@method_decorator(
ratelimit(key="post:username", rate=settings.RATE_LIMIT, block=False)
(
sensitive_variables(),
sensitive_post_parameters(),
ratelimit(key="post:username", rate=settings.RATE_LIMIT, block=False),
)
)
def post(self, request):
if getattr(request, "limited", False):
Expand Down
62 changes: 46 additions & 16 deletions arches/app/views/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@
import base64
import io

from django.http import response
from arches.app.utils.external_oauth_backend import ExternalOauthAuthenticationBackend
import qrcode
import pyotp
Expand All @@ -33,6 +32,7 @@
from django.utils.decorators import method_decorator
from django.views.decorators.cache import never_cache
from django.views.decorators.csrf import csrf_exempt
from django.views.decorators.debug import sensitive_post_parameters, sensitive_variables
from django.utils.html import strip_tags
from django.utils.translation import gettext as _
from django.utils.http import urlencode
Expand Down Expand Up @@ -88,19 +88,23 @@ def get(self, request):
)

@method_decorator(
ratelimit(
key="post:username",
rate=(
(
"{}/{}".format(
int(settings.RATE_LIMIT.split("/")[0]) * 2,
settings.RATE_LIMIT.split("/")[1],
(
sensitive_variables(),
sensitive_post_parameters(),
ratelimit(
key="post:username",
rate=(
(
"{}/{}".format(
int(settings.RATE_LIMIT.split("/")[0]) * 2,
settings.RATE_LIMIT.split("/")[1],
)
)
)
if isinstance(settings.RATE_LIMIT, str)
else settings.RATE_LIMIT
if isinstance(settings.RATE_LIMIT, str)
else settings.RATE_LIMIT
),
block=False,
),
block=False,
)
)
def post(self, request):
Expand Down Expand Up @@ -369,7 +373,13 @@ def get(self, request):
}
return JSONResponse(messages)

@method_decorator(ratelimit(key="user", rate=settings.RATE_LIMIT, block=False))
@method_decorator(
(
sensitive_variables(),
sensitive_post_parameters(),
ratelimit(key="user", rate=settings.RATE_LIMIT, block=False),
)
)
def post(self, request):
messages = {
"invalid_password": None,
Expand Down Expand Up @@ -425,7 +435,13 @@ class PasswordResetConfirmView(auth_views.PasswordResetConfirmView):

@method_decorator(csrf_exempt, name="dispatch")
class UserProfileView(View):
@method_decorator(ratelimit(key="post:username", rate=settings.RATE_LIMIT))
@method_decorator(
(
sensitive_variables(),
sensitive_post_parameters(),
ratelimit(key="post:username", rate=settings.RATE_LIMIT),
)
)
def post(self, request):
username = request.POST.get("username", None)
password = request.POST.get("password", None)
Expand All @@ -446,7 +462,13 @@ def post(self, request):

@method_decorator(csrf_exempt, name="dispatch")
class GetClientIdView(View):
@method_decorator(ratelimit(key="post:username", rate=settings.RATE_LIMIT))
@method_decorator(
(
sensitive_variables(),
sensitive_post_parameters(),
ratelimit(key="post:username", rate=settings.RATE_LIMIT),
)
)
def post(self, request):
if settings.OAUTH_CLIENT_ID == "":
message = _("Make sure to set your OAUTH_CLIENT_ID in settings.py")
Expand All @@ -465,7 +487,13 @@ def post(self, request):

@method_decorator(csrf_exempt, name="dispatch")
class ServerSettingView(View):
@method_decorator(ratelimit(key="post:username", rate=settings.RATE_LIMIT))
@method_decorator(
(
sensitive_variables(),
sensitive_post_parameters(),
ratelimit(key="post:username", rate=settings.RATE_LIMIT),
)
)
def post(self, request):
if settings.OAUTH_CLIENT_ID == "":
message = _("Make sure to set your OAUTH_CLIENT_ID in settings.py")
Expand Down Expand Up @@ -573,6 +601,7 @@ def post(self, request):

@method_decorator(never_cache, name="dispatch")
class TwoFactorAuthenticationLoginView(View):
@method_decorator((sensitive_variables(), sensitive_post_parameters()))
def post(self, request):
username = request.POST.get("username", None)
password = request.POST.get("password", None)
Expand Down Expand Up @@ -718,6 +747,7 @@ def post(self, request):

@method_decorator(csrf_exempt, name="dispatch")
class Token(View):
@method_decorator(sensitive_variables())
def get(self, request):
if settings.DEBUG:
data = {
Expand Down
1 change: 1 addition & 0 deletions releases/8.0.0.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ Arches 8.0.0 Release Notes
### Additional highlights
- Add session-based REST APIs for login, logout [#11261](https://github.com/archesproject/arches/issues/11261)
- Add system check advising next action when enabling additional languages without updating graphs [#10079](https://github.com/archesproject/arches/issues/10079)
- Auth views now filter out passwords from error reports when running in production [#11652](https://github.com/archesproject/arches/issues/11652)
- Improve handling of longer model names [#11317](https://github.com/archesproject/arches/issues/11317)
- Support more expressive plugin URLs [#11320](https://github.com/archesproject/arches/issues/11320)
- Make node aliases not nullable [#10437](https://github.com/archesproject/arches/issues/10437)
Expand Down

0 comments on commit 233f188

Please sign in to comment.