From 2813a095deb359ddfd5a8c3fb4b51b4245db41ac Mon Sep 17 00:00:00 2001 From: sergiogimenez Date: Sat, 16 Nov 2024 18:08:11 +0100 Subject: [PATCH 1/2] move logic to model and remove potential harmful code (void useing del) --- device/models.py | 30 ++++++++++++++++++++++++++++++ device/views.py | 40 ++++++---------------------------------- 2 files changed, 36 insertions(+), 34 deletions(-) diff --git a/device/models.py b/device/models.py index 4e0778f..a9799de 100644 --- a/device/models.py +++ b/device/models.py @@ -1,3 +1,4 @@ +import json from django.db import models, connection from utils.constants import ALGOS @@ -305,3 +306,32 @@ class Device: if not self.last_evidence: self.get_last_evidence() return self.last_evidence.get_components() + + def get_components_data(self, is_user_authenticated): + if is_user_authenticated: + return self.components + + public_components = json.loads(json.dumps(self.components)) + self.remove_sensitive_data_from(public_components) + return public_components + + def remove_sensitive_data_from(self, components): + for component in components: + component.pop('SerialNumber', None) + component.pop('serial_number', None) + + def get_device_data(self, should_include_sensitive_fields): + data = { + 'id': self.id, + 'shortid': self.shortid, + 'uuids': self.uuids, + 'hids': self.hids, + 'components': self.get_components_data(should_include_sensitive_fields), + } + + if should_include_sensitive_fields: + data.update({ + 'serial_number': self.serial_number, + }) + + return data diff --git a/device/views.py b/device/views.py index 319f8cf..501f6e1 100644 --- a/device/views.py +++ b/device/views.py @@ -115,14 +115,15 @@ class PublicDeviceWebView(TemplateView): template_name = "device_web.html" def get(self, request, *args, **kwargs): - self.pk = kwargs['pk'] - self.object = Device(id=self.pk) + self.object = Device(id=kwargs['pk']) if not self.object.last_evidence: raise Http404 if self.request.headers.get('Accept') == 'application/json': - return self.get_json_response() + json_response = self.create_json_response( + self.request.user.is_authenticated) + return json_response return super().get(request, *args, **kwargs) def get_context_data(self, **kwargs): @@ -133,37 +134,8 @@ class PublicDeviceWebView(TemplateView): }) return context - @property - def public_fields(self): - return { - 'id': self.object.id, - 'shortid': self.object.shortid, - 'uuids': self.object.uuids, - 'hids': self.object.hids, - 'components': self.remove_serial_number_from(self.object.components), - } - - @property - def authenticated_fields(self): - return { - 'serial_number': self.object.serial_number, - 'components': self.object.components, - } - - def remove_serial_number_from(self, components): - for component in components: - if 'serial_number' in component: - del component['SerialNumber'] - return components - - def get_device_data(self): - data = self.public_fields - if self.request.user.is_authenticated: - data.update(self.authenticated_fields) - return data - - def get_json_response(self): - device_data = self.get_device_data() + def create_json_response(self, is_user_authenticated): + device_data = self.object.get_device_data(is_user_authenticated) return JsonResponse(device_data) -- 2.30.2 From 9fa8cd57ba974978f6463bf0c728e11003c14210 Mon Sep 17 00:00:00 2001 From: sergiogimenez Date: Thu, 5 Dec 2024 09:14:37 +0100 Subject: [PATCH 2/2] Using a shallow copy instead of ineficient json conversion --- device/models.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/device/models.py b/device/models.py index a9799de..3fcb9e0 100644 --- a/device/models.py +++ b/device/models.py @@ -311,7 +311,7 @@ class Device: if is_user_authenticated: return self.components - public_components = json.loads(json.dumps(self.components)) + public_components = [component.copy() for component in self.components] self.remove_sensitive_data_from(public_components) return public_components -- 2.30.2