[ckan-dev] model VS context['model']
Toby Dacre
toby.okfn at gmail.com
Wed May 29 00:09:23 UTC 2013
On 29 May 2013 00:12, Ian Ward <ian at excess.org> wrote:
> This PR looks like you're letting users pass arbitrary object_type
> strings to an API which are then used to do an attribute lookup in the
> model module, and then you run code on the thing returned.
>
> Am I missing something? This seems really dangerous.
>
It's not very pretty but I don't think the pr is too insecure. I
don't see how I can exploit this. We could tie down the allowed
objects a bit more but we sort of indirectly do that via `title()` on
the model we get back we only call `get()` and then obj.id from what I
see.
So I don't think there is much danger. Please prove me wrong.
> On Tue, May 28, 2013 at 5:07 PM, Vitor Baptista <vitor at vitorbaptista.com> wrote:
>> Ping.
>>
>> Any feedback on this?
>>
>>
>> 2013/4/22 Toby Dacre <toby.okfn at gmail.com>
>>>
>>>
>>>
>>> On 15 April 2013 22:20, Toby Dacre <toby.okfn at gmail.com> wrote:
>>>>
>>>>
>>>>
>>>> On 15 April 2013 21:36, Vitor Baptista <vitor at vitorbaptista.com> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> Toby was reviewing a pull request I sent
>>>>> (https://github.com/okfn/ckan/pull/754/files#r3791087) and an interesting
>>>>> question came up. We thought that it would be better to start talking here
>>>>> instead of in the PR. The code is:
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> def model_name_to_class(model_name):
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> try:
>>>>>> model_class_name = model_name.title()
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> return getattr(model, model_class_name)
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> except AttributeError:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> raise ValidationError(_("%s isn't a valid model" %
>>>>>> model_class_name))
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Basically, this method turns a string into a class. For example, if you
>>>>> call model_name_to_class('user'), you'd get ckan.model.User.
>>>>>
>>>>> Toby suggested that instead of using model (from "import ckan.model as
>>>>> model"), I should use context['model'], as they might be different somehow.
>>>>>
>>>>> Does someone understand when it might happen, and why?
>>>>>
>>>>
>>>> Just to add that this function is used in an action or auth function so
>>>> we were given context and data_dict
>>>>
>>>
>>>
>>> Some feedback on this issue would be good
>>>
>>> @kindly any views?
>>>
>>>
>>>>>
>>>>> Cheers,
>>>>> Vítor Baptista.
>>>>>
>>>>> _______________________________________________
>>>>> ckan-dev mailing list
>>>>> ckan-dev at lists.okfn.org
>>>>> http://lists.okfn.org/mailman/listinfo/ckan-dev
>>>>> Unsubscribe: http://lists.okfn.org/mailman/options/ckan-dev
>>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> ckan-dev mailing list
>>> ckan-dev at lists.okfn.org
>>> http://lists.okfn.org/mailman/listinfo/ckan-dev
>>> Unsubscribe: http://lists.okfn.org/mailman/options/ckan-dev
>>>
>>
>>
>>
>> --
>>
>> Vítor Baptista
>>
>> Developer | http://vitorbaptista.com | LinkedIn | @vitorbaptista
>>
>> The Open Knowledge Foundation
>>
>> Empowering through Open Knowledge
>>
>> http://okfn.org/ | @okfn | OKF on Facebook | Blog | Newsletter
>>
>>
>> _______________________________________________
>> ckan-dev mailing list
>> ckan-dev at lists.okfn.org
>> http://lists.okfn.org/mailman/listinfo/ckan-dev
>> Unsubscribe: http://lists.okfn.org/mailman/options/ckan-dev
>>
>
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> http://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: http://lists.okfn.org/mailman/options/ckan-dev
--
Toby Dacre
The Open Knowledge Foundation
Empowering through Open Knowledge
http://okfn.org/ | @okfn
More information about the ckan-dev
mailing list