From b5c857aff4d9f511832f43fe9cbcf1f9f3d0da3e Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Mon, 20 Sep 2021 13:42:56 +0200 Subject: [PATCH] api: add explicit lookup_value_regex, disable include_format_suffixes Signed-off-by: Jens Langhammer --- authentik/api/v3/urls.py | 1 + authentik/core/api/applications.py | 1 + authentik/core/api/sources.py | 1 + authentik/core/api/tokens.py | 1 + authentik/flows/api/flows.py | 1 + authentik/sources/ldap/api.py | 1 + authentik/sources/oauth/api/source.py | 1 + authentik/sources/plex/api/source.py | 1 + authentik/sources/saml/api.py | 1 + 9 files changed, 9 insertions(+) diff --git a/authentik/api/v3/urls.py b/authentik/api/v3/urls.py index 87adf0b98..7cfa389b3 100644 --- a/authentik/api/v3/urls.py +++ b/authentik/api/v3/urls.py @@ -99,6 +99,7 @@ from authentik.stages.user_write.api import UserWriteStageViewSet from authentik.tenants.api import TenantViewSet router = routers.DefaultRouter() +router.include_format_suffixes = False router.register("admin/system_tasks", TaskViewSet, basename="admin_system_tasks") router.register("admin/apps", AppsViewSet, basename="apps") diff --git a/authentik/core/api/applications.py b/authentik/core/api/applications.py index e8a92e3a6..42b4aa3db 100644 --- a/authentik/core/api/applications.py +++ b/authentik/core/api/applications.py @@ -77,6 +77,7 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet): "meta_publisher", ] lookup_field = "slug" + lookup_value_regex = r"^[-a-zA-Z0-9_]+\Z" ordering = ["name"] def _filter_queryset_for_list(self, queryset: QuerySet) -> QuerySet: diff --git a/authentik/core/api/sources.py b/authentik/core/api/sources.py index 18239ee16..328433e16 100644 --- a/authentik/core/api/sources.py +++ b/authentik/core/api/sources.py @@ -62,6 +62,7 @@ class SourceViewSet( queryset = Source.objects.none() serializer_class = SourceSerializer lookup_field = "slug" + lookup_value_regex = r"^[-a-zA-Z0-9_]+\Z" def get_queryset(self): # pragma: no cover return Source.objects.select_subclasses() diff --git a/authentik/core/api/tokens.py b/authentik/core/api/tokens.py index 24c5b76e7..a174b3671 100644 --- a/authentik/core/api/tokens.py +++ b/authentik/core/api/tokens.py @@ -66,6 +66,7 @@ class TokenViewSerializer(PassiveSerializer): class TokenViewSet(UsedByMixin, ModelViewSet): """Token Viewset""" + lookup_value_regex = r"^[-a-zA-Z0-9_]+\Z" lookup_field = "identifier" queryset = Token.objects.all() serializer_class = TokenSerializer diff --git a/authentik/flows/api/flows.py b/authentik/flows/api/flows.py index 602cc4654..3f11da33e 100644 --- a/authentik/flows/api/flows.py +++ b/authentik/flows/api/flows.py @@ -108,6 +108,7 @@ class FlowViewSet(UsedByMixin, ModelViewSet): queryset = Flow.objects.all() serializer_class = FlowSerializer lookup_field = "slug" + lookup_value_regex = r"^[-a-zA-Z0-9_]+\Z" search_fields = ["name", "slug", "designation", "title"] filterset_fields = ["flow_uuid", "name", "slug", "designation"] diff --git a/authentik/sources/ldap/api.py b/authentik/sources/ldap/api.py index aae8e643a..914c4bffb 100644 --- a/authentik/sources/ldap/api.py +++ b/authentik/sources/ldap/api.py @@ -69,6 +69,7 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet): queryset = LDAPSource.objects.all() serializer_class = LDAPSourceSerializer lookup_field = "slug" + lookup_value_regex = r"^[-a-zA-Z0-9_]+\Z" filterset_fields = [ "name", "slug", diff --git a/authentik/sources/oauth/api/source.py b/authentik/sources/oauth/api/source.py index 0beafb976..713397946 100644 --- a/authentik/sources/oauth/api/source.py +++ b/authentik/sources/oauth/api/source.py @@ -84,6 +84,7 @@ class OAuthSourceViewSet(UsedByMixin, ModelViewSet): queryset = OAuthSource.objects.all() serializer_class = OAuthSourceSerializer lookup_field = "slug" + lookup_value_regex = r"^[-a-zA-Z0-9_]+\Z" filterset_fields = [ "name", "slug", diff --git a/authentik/sources/plex/api/source.py b/authentik/sources/plex/api/source.py index fb56c178c..37f489e19 100644 --- a/authentik/sources/plex/api/source.py +++ b/authentik/sources/plex/api/source.py @@ -49,6 +49,7 @@ class PlexSourceViewSet(UsedByMixin, ModelViewSet): queryset = PlexSource.objects.all() serializer_class = PlexSourceSerializer lookup_field = "slug" + lookup_value_regex = r"^[-a-zA-Z0-9_]+\Z" filterset_fields = [ "name", "slug", diff --git a/authentik/sources/saml/api.py b/authentik/sources/saml/api.py index ec6a78799..2bfbf08dd 100644 --- a/authentik/sources/saml/api.py +++ b/authentik/sources/saml/api.py @@ -40,6 +40,7 @@ class SAMLSourceViewSet(UsedByMixin, ModelViewSet): queryset = SAMLSource.objects.all() serializer_class = SAMLSourceSerializer lookup_field = "slug" + lookup_value_regex = r"^[-a-zA-Z0-9_]+\Z" filterset_fields = "__all__" ordering = ["name"]