Fix #113. Fix regex in views.

2025-06-21 09:58:23 +02:00 · 2024-07-18 13:51:56 +02:00
parent 1a258dfe9e
commit 7322d55789
15 changed files with 147 additions and 85 deletions
--- a/apps/note/api/views.py
+++ b/apps/note/api/views.py
@ -1,19 +1,16 @@
 # Copyright (C) 2018-2024 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later

-import re
-
 from django.conf import settings
 from django.db.models import Q
 from django.core.exceptions import ValidationError
 from django_filters.rest_framework import DjangoFilterBackend
 from rest_framework.filters import OrderingFilter
-from rest_framework import viewsets
+from rest_framework import status, viewsets
 from rest_framework.response import Response
-from rest_framework import status
-
 from api.filters import RegexSafeSearchFilter
-from api.viewsets import ReadProtectedModelViewSet, ReadOnlyProtectedModelViewSet
+from api.viewsets import ReadProtectedModelViewSet, ReadOnlyProtectedModelViewSet, \
+    is_regex
 from permission.backends import PermissionBackend

 from .serializers import NotePolymorphicSerializer, AliasSerializer, ConsumerSerializer, \
@ -51,10 +48,14 @@ class NotePolymorphicViewSet(ReadProtectedModelViewSet):
            .distinct()

        alias = self.request.query_params.get("alias", ".*")
+        # Check if this is a valid regex. If not, we won't check regex
+        valid_regex = is_regex(alias)
+        suffix = '__iregex' if valid_regex else '__istartswith'
+        alias_prefix = '^' if valid_regex else ''
        queryset = queryset.filter(
-            Q(alias__name__iregex="^" + alias)
-            | Q(alias__normalized_name__iregex="^" + Alias.normalize(alias))
-            | Q(alias__normalized_name__iregex="^" + alias.lower())
+            Q(**{f"alias__name{suffix}": alias_prefix + alias})
+            | Q(**{f"alias__normalized_name{suffix}": alias_prefix + Alias.normalize(alias)})
+            | Q(**{f"alias__normalized_name{suffix}": alias_prefix + alias.lower()})
        )

        return queryset.order_by("id")
@ -68,7 +69,7 @@ class TrustViewSet(ReadProtectedModelViewSet):
    """
    queryset = Trust.objects
    serializer_class = TrustSerializer
-    filter_backends = [SearchFilter, DjangoFilterBackend, OrderingFilter]
+    filter_backends = [RegexSafeSearchFilter, DjangoFilterBackend, OrderingFilter]
    search_fields = ['$trusting__alias__name', '$trusting__alias__normalized_name',
                     '$trusted__alias__name', '$trusted__alias__normalized_name']
    filterset_fields = ['trusting', 'trusting__noteuser__user', 'trusted', 'trusted__noteuser__user']
@ -94,7 +95,7 @@ class AliasViewSet(ReadProtectedModelViewSet):
    """
    REST API View set.
    The djangorestframework plugin will get all `Alias` objects, serialize it to JSON with the given serializer,
-    then render it on /api/note/aliases/
+    then render it on /api/note/alias/
    """
    queryset = Alias.objects
    serializer_class = AliasSerializer
@ -129,18 +130,22 @@ class AliasViewSet(ReadProtectedModelViewSet):

        alias = self.request.query_params.get("alias", None)
        if alias:
+            # Check if this is a valid regex. If not, we won't check regex
+            valid_regex = is_regex(alias)
+            suffix = '__iregex' if valid_regex else '__istartswith'
+            alias_prefix = '^' if valid_regex else ''
            queryset = queryset.filter(
-                name__iregex="^" + alias
+                **{f"name{suffix}": alias_prefix + alias}
            ).union(
                queryset.filter(
-                    Q(normalized_name__iregex="^" + Alias.normalize(alias))
-                    & ~Q(name__iregex="^" + alias)
+                    Q(**{f"normalized_name{suffix}": alias_prefix + Alias.normalize(alias)})
+                    & ~Q(**{f"name{suffix}": alias_prefix + alias})
                ),
                all=True).union(
                queryset.filter(
-                    Q(normalized_name__iregex="^" + alias.lower())
-                    & ~Q(normalized_name__iregex="^" + Alias.normalize(alias))
-                    & ~Q(name__iregex="^" + alias)
+                    Q(**{f"normalized_name{suffix}": "^" + alias.lower()})
+                    & ~Q(**{f"normalized_name{suffix}": "^" + Alias.normalize(alias)})
+                    & ~Q(**{f"name{suffix}": "^" + alias})
                ),
                all=True)

@ -169,11 +174,7 @@ class ConsumerViewSet(ReadOnlyProtectedModelViewSet):

        alias = self.request.query_params.get("alias", None)
        # Check if this is a valid regex. If not, we won't check regex
-        try:
-            re.compile(alias)
-            valid_regex = True
-        except (re.error, TypeError):
-            valid_regex = False
+        valid_regex = is_regex(alias)
        suffix = '__iregex' if valid_regex else '__istartswith'
        alias_prefix = '^' if valid_regex else ''
        queryset = queryset.prefetch_related('note')