From f6e27bc7bd5a0a34c2c0ef4c905d227b0386a471 Mon Sep 17 00:00:00 2001 From: Jacob Walls Date: Mon, 25 Nov 2024 21:20:45 -0500 Subject: [PATCH] fixup! Add @sensitive_post_parameters --- arches/app/views/api/__init__.py | 2 + arches/app/views/api/auth.py | 8 ++-- arches/app/views/auth.py | 73 ++++++++++++++++++++------------ 3 files changed, 52 insertions(+), 31 deletions(-) diff --git a/arches/app/views/api/__init__.py b/arches/app/views/api/__init__.py index c57283be00..84bfac1846 100644 --- a/arches/app/views/api/__init__.py +++ b/arches/app/views/api/__init__.py @@ -24,6 +24,7 @@ from django.core.exceptions import ObjectDoesNotExist, ValidationError from django.core.files.base import ContentFile from django.views.decorators.csrf import csrf_exempt +from django.views.decorators.debug import sensitive_variables from django.utils import translation from django.utils.decorators import method_decorator from django_ratelimit.decorators import ratelimit @@ -1128,6 +1129,7 @@ def get(self, request, plugin_id=None): class SearchExport(View): + @sensitive_variables("user_cred") @method_decorator( ratelimit( key="header:http-authorization", rate=settings.RATE_LIMIT, block=False diff --git a/arches/app/views/api/auth.py b/arches/app/views/api/auth.py index 84c113f1fa..27ff81e1e0 100644 --- a/arches/app/views/api/auth.py +++ b/arches/app/views/api/auth.py @@ -18,10 +18,12 @@ class Login(LoginView, APIBase): http_method_names = ["post"] - @sensitive_variables() - @sensitive_post_parameters() @method_decorator( - ratelimit(key="post:username", rate=settings.RATE_LIMIT, block=False) + ( + sensitive_variables(), + sensitive_post_parameters(), + ratelimit(key="post:username", rate=settings.RATE_LIMIT, block=False), + ) ) def post(self, request): if getattr(request, "limited", False): diff --git a/arches/app/views/auth.py b/arches/app/views/auth.py index e693e75e2d..978542a59f 100644 --- a/arches/app/views/auth.py +++ b/arches/app/views/auth.py @@ -87,22 +87,24 @@ def get(self, request): }, ) - @sensitive_variables() - @sensitive_post_parameters() @method_decorator( - ratelimit( - key="post:username", - rate=( - ( - "{}/{}".format( - int(settings.RATE_LIMIT.split("/")[0]) * 2, - settings.RATE_LIMIT.split("/")[1], + ( + sensitive_variables(), + sensitive_post_parameters(), + ratelimit( + key="post:username", + rate=( + ( + "{}/{}".format( + int(settings.RATE_LIMIT.split("/")[0]) * 2, + settings.RATE_LIMIT.split("/")[1], + ) ) - ) - if isinstance(settings.RATE_LIMIT, str) - else settings.RATE_LIMIT + if isinstance(settings.RATE_LIMIT, str) + else settings.RATE_LIMIT + ), + block=False, ), - block=False, ) ) def post(self, request): @@ -371,9 +373,13 @@ def get(self, request): } return JSONResponse(messages) - @sensitive_variables() - @sensitive_post_parameters() - @method_decorator(ratelimit(key="user", rate=settings.RATE_LIMIT, block=False)) + @method_decorator( + ( + sensitive_variables(), + sensitive_post_parameters(), + ratelimit(key="user", rate=settings.RATE_LIMIT, block=False), + ) + ) def post(self, request): messages = { "invalid_password": None, @@ -429,9 +435,13 @@ class PasswordResetConfirmView(auth_views.PasswordResetConfirmView): @method_decorator(csrf_exempt, name="dispatch") class UserProfileView(View): - @sensitive_variables() - @sensitive_post_parameters() - @method_decorator(ratelimit(key="post:username", rate=settings.RATE_LIMIT)) + @method_decorator( + ( + sensitive_variables(), + sensitive_post_parameters(), + ratelimit(key="post:username", rate=settings.RATE_LIMIT), + ) + ) def post(self, request): username = request.POST.get("username", None) password = request.POST.get("password", None) @@ -452,9 +462,13 @@ def post(self, request): @method_decorator(csrf_exempt, name="dispatch") class GetClientIdView(View): - @sensitive_variables() - @sensitive_post_parameters() - @method_decorator(ratelimit(key="post:username", rate=settings.RATE_LIMIT)) + @method_decorator( + ( + sensitive_variables(), + sensitive_post_parameters(), + ratelimit(key="post:username", rate=settings.RATE_LIMIT), + ) + ) def post(self, request): if settings.OAUTH_CLIENT_ID == "": message = _("Make sure to set your OAUTH_CLIENT_ID in settings.py") @@ -473,9 +487,13 @@ def post(self, request): @method_decorator(csrf_exempt, name="dispatch") class ServerSettingView(View): - @sensitive_variables() - @sensitive_post_parameters() - @method_decorator(ratelimit(key="post:username", rate=settings.RATE_LIMIT)) + @method_decorator( + ( + sensitive_variables(), + sensitive_post_parameters(), + ratelimit(key="post:username", rate=settings.RATE_LIMIT), + ) + ) def post(self, request): if settings.OAUTH_CLIENT_ID == "": message = _("Make sure to set your OAUTH_CLIENT_ID in settings.py") @@ -583,8 +601,7 @@ def post(self, request): @method_decorator(never_cache, name="dispatch") class TwoFactorAuthenticationLoginView(View): - @sensitive_variables() - @sensitive_post_parameters() + @method_decorator((sensitive_variables(), sensitive_post_parameters())) def post(self, request): username = request.POST.get("username", None) password = request.POST.get("password", None) @@ -730,7 +747,7 @@ def post(self, request): @method_decorator(csrf_exempt, name="dispatch") class Token(View): - @sensitive_variables() + @method_decorator(sensitive_variables()) def get(self, request): if settings.DEBUG: data = {