From 3b6c941f6513dd8f5b688e9c9ce066c78c5d8c47 Mon Sep 17 00:00:00 2001 From: Oliver Date: Fri, 20 Oct 2023 20:39:53 +1100 Subject: [PATCH] Token tweaks (#5761) * Ensure token name is trimmed * Improve sanitizing of token name --- InvenTree/users/api.py | 4 +++- InvenTree/users/models.py | 17 +++++++++++++++++ InvenTree/users/test_api.py | 6 ++++++ 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/InvenTree/users/api.py b/InvenTree/users/api.py index 51fd193142..c1c12f23fa 100644 --- a/InvenTree/users/api.py +++ b/InvenTree/users/api.py @@ -86,7 +86,7 @@ class RoleDetails(APIView): for ruleset in RuleSet.RULESET_CHOICES: - role, text = ruleset + role, _text = ruleset permissions = [] @@ -199,6 +199,8 @@ class GetAuthToken(APIView): user = request.user name = request.query_params.get('name', '') + name = ApiToken.sanitize_name(name) + # Delete any matching tokens ApiToken.objects.filter(user=user, name=name).delete() diff --git a/InvenTree/users/models.py b/InvenTree/users/models.py index a7eb4cd016..ec8307b851 100644 --- a/InvenTree/users/models.py +++ b/InvenTree/users/models.py @@ -20,6 +20,7 @@ from django.utils.translation import gettext_lazy as _ from rest_framework.authtoken.models import Token as AuthToken +import InvenTree.helpers from InvenTree.ready import canAppAccessDatabase logger = logging.getLogger("inventree") @@ -98,6 +99,22 @@ class ApiToken(AuthToken): help_text=_('Token has been revoked'), ) + @staticmethod + def sanitize_name(name: str): + """Sanitize the provide name value""" + + name = str(name).strip() + + # Remove any non-printable chars + name = InvenTree.helpers.remove_non_printable_characters(name, remove_newline=True) + name = InvenTree.helpers.strip_html_tags(name) + + name = name.replace(' ', '-') + # Limit to 100 characters + name = name[:100] + + return name + @property @admin.display(description=_('Token')) def token(self): diff --git a/InvenTree/users/test_api.py b/InvenTree/users/test_api.py index 94da4b5ead..db3f7f14e1 100644 --- a/InvenTree/users/test_api.py +++ b/InvenTree/users/test_api.py @@ -89,6 +89,12 @@ class UserTokenTests(InvenTreeAPITestCase): with self.assertRaises(ApiToken.DoesNotExist): token.refresh_from_db() + # Test with a really long name + data = self.get(url, data={'name': 'cat' * 100}, expected_code=200).data + + # Name should be truncated + self.assertEqual(len(data['name']), 100) + def test_token_auth(self): """Test user token authentication"""