[ckan-dev] model VS context['model']

Vitor Baptista vitor at vitorbaptista.com
Wed May 29 00:07:18 UTC 2013 

Hi Ian,

The only method we call on the obj_type that comes from the user is *get* and
*id*, so I can't see a vulnerability in there. Also, the code in master
allows this as well, passing the obj_type directly to the Member creation (
https://github.com/vitorbaptista/ckan/blob/master/ckan/logic/action/create.py#L438
).

I'm not sure if this was intended (i.e. any model might be a member of a
group) or not. If not, I agree that we should check if obj_type is what we
expect valid. Anyone knows the expected behavior?

Cheers,
Vítor.


2013/5/28 Ian Ward <ian at excess.org>

> This PR looks like you're letting users pass arbitrary object_type
> strings to an API which are then used to do an attribute lookup in the
> model module, and then you run code on the thing returned.
>
> Am I missing something?  This seems really dangerous.
>
> On Tue, May 28, 2013 at 5:07 PM, Vitor Baptista <vitor at vitorbaptista.com>
> wrote:
> > Ping.
> >
> > Any feedback on this?
> >
> >
> > 2013/4/22 Toby Dacre <toby.okfn at gmail.com>
> >>
> >>
> >>
> >> On 15 April 2013 22:20, Toby Dacre <toby.okfn at gmail.com> wrote:
> >>>
> >>>
> >>>
> >>> On 15 April 2013 21:36, Vitor Baptista <vitor at vitorbaptista.com>
> wrote:
> >>>>
> >>>> Hi,
> >>>>
> >>>> Toby was reviewing a pull request I sent
> >>>> (https://github.com/okfn/ckan/pull/754/files#r3791087) and an
> interesting
> >>>> question came up. We thought that it would be better to start talking
> here
> >>>> instead of in the PR. The code is:
> >>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> def model_name_to_class(model_name):
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>     try:
> >>>>>         model_class_name = model_name.title()
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>         return getattr(model, model_class_name)
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>     except AttributeError:
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>         raise ValidationError(_("%s isn't a valid model" %
> >>>>> model_class_name))
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Basically, this method turns a string into a class. For example, if
> you
> >>>> call model_name_to_class('user'), you'd get ckan.model.User.
> >>>>
> >>>> Toby suggested that instead of using model (from "import ckan.model as
> >>>> model"), I should use context['model'], as they might be different
> somehow.
> >>>>
> >>>> Does someone understand when it might happen, and why?
> >>>>
> >>>
> >>> Just to add that this function is used in an action or auth function so
> >>> we were given context and data_dict
> >>>
> >>
> >>
> >> Some feedback on this issue would be good
> >>
> >> @kindly any views?
> >>
> >>
> >>>>
> >>>> Cheers,
> >>>> Vítor Baptista.
> >>>>
> >>>> _______________________________________________
> >>>> ckan-dev mailing list
> >>>> ckan-dev at lists.okfn.org
> >>>> http://lists.okfn.org/mailman/listinfo/ckan-dev
> >>>> Unsubscribe: http://lists.okfn.org/mailman/options/ckan-dev
> >>>>
> >>>
> >>
> >>
> >> _______________________________________________
> >> ckan-dev mailing list
> >> ckan-dev at lists.okfn.org
> >> http://lists.okfn.org/mailman/listinfo/ckan-dev
> >> Unsubscribe: http://lists.okfn.org/mailman/options/ckan-dev
> >>
> >
> >
> >
> > --
> >
> > Vítor Baptista
> >
> > Developer  |  http://vitorbaptista.com | LinkedIn | @vitorbaptista
> >
> > The Open Knowledge Foundation
> >
> > Empowering through Open Knowledge
> >
> > http://okfn.org/  |  @okfn  |  OKF on Facebook  |  Blog  |  Newsletter
> >
> >
> > _______________________________________________
> > ckan-dev mailing list
> > ckan-dev at lists.okfn.org
> > http://lists.okfn.org/mailman/listinfo/ckan-dev
> > Unsubscribe: http://lists.okfn.org/mailman/options/ckan-dev
> >
>
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> http://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: http://lists.okfn.org/mailman/options/ckan-dev
>



-- 

Vítor Baptista

Developer  |  http://vitorbaptista.com |
LinkedIn<http://www.linkedin.com/in/vitorbaptista>|
@vitorbaptista <http://twitter.com/vitorbaptista>

The Open Knowledge Foundation <http://okfn.org>

*Empowering through Open Knowledge*

http://okfn.org/  |  @okfn <http://twitter.com/okfn>  |  OKF on
Facebook<https://www.facebook.com/OKFNetwork> |
Blog <http://blog.okfn.org/>  |  Newsletter<http://okfn.org/about/newsletter/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20130528/d3dab169/attachment-0001.html>

More information about the ckan-dev mailing list