Issue 113 security issue fix (#114)

* fix issue #113 explicitly add success response when editing a group has been successful * fix issue #113 - fix security issues related to libraries: Django 1.11 and Django rest framework * adding a try catch statement when saving data to the database using forms. if it silently fails, when we know there is an error in the database that is not caught by django form.save function * fixing typo
chop-dbhi · Apr 8, 2020 · 62f26cb · 62f26cb
1 parent 46d1ca2
commit 62f26cb
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 9 deletions.
diff --git a/ehb_service/apps/api/helpers.py b/ehb_service/apps/api/helpers.py
@@ -93,13 +93,21 @@ def jsonErrors(formerrors):
 
     @staticmethod
     def processFormJsonResponse(form, response, valid_dict=None, invalid_dict=None, keys_from_response_dict=None):
+        form_save_success = False
 
         if form.is_valid():
-            m = form.save()
-            created = None
-            modified = None
-            isCreatedModified = False
-
+            try:
+                m = form.save()
+                created = None
+                modified = None
+                isCreatedModified = False
+                form_save_success = True
+            except:
+                log.error('There was an error with the database. Check the database logs for more info')
+                response_dict = {"success": False, "errors": "There was an error with the database"}
+                form_save_success = False
+
+        if (form.is_valid() and form_save_success):
             for c in type(m).__bases__:
                 if c.__name__ == 'CreatedModified':
                     isCreatedModified = True
@@ -142,8 +150,8 @@ def processFormJsonResponse(form, response, valid_dict=None, invalid_dict=None,
             if keys_from_response_dict:
                 for key in keys_from_response_dict:
                     response_dict[key] = m.__dict__.get(key)
-        else:
 
+        elif not form.is_valid():
             log.error('Error in form validation')
             response_dict = {"success": False, "errors": FormHelpers.jsonErrors(form.errors)}
             if invalid_dict:

diff --git a/ehb_service/apps/api/views/group.py b/ehb_service/apps/api/views/group.py
@@ -271,7 +271,7 @@ def put(self, request):
                     grp = Group.objects.get(pk=rd.get('id'))
                     rd['ehb_key'] = grp.ehb_key.key
                 else:
-                    return Response
+                    return Response({"success": True})
             except Group.DoesNotExist:
                 log.error("Unable to update group. Group does not exist.")
                 response.append(

diff --git a/requirements.txt b/requirements.txt
@@ -5,9 +5,9 @@
 #     pip install -U -r requirements.txt
 
 # Core requirements
-Django==1.11.16
+Django>=1.11.27,<1.12
 django-environ==0.4.1
-djangorestframework==3.8.2
+djangorestframework>=3.9.1,<3.10
 tzlocal==1.5.1
 uWSGI
 # Database bindings - uncomment any of the below libraries depending on the