Sanitize User Input for Services and Credentials (#419)

Sanitize User Input for Services and Credentials Also use latest pynamodb notation for querying based on a condition.
lyft · Feb 29, 2024 · b27ea00 · b27ea00
1 parent d3c8239
commit b27ea00
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 16 deletions.
diff --git a/confidant/routes/blind_credentials.py b/confidant/routes/blind_credentials.py
@@ -188,7 +188,9 @@ def create_blind_credential():
     if not isinstance(data.get('metadata', {}), dict):
         return jsonify({'error': 'metadata must be a dict'}), 400
     for cred in BlindCredential.data_type_date_index.query(
-            'blind-credential', name__eq=data['name']):
+            'blind-credential',
+            filter_condition=BlindCredential.name == data['name']
+    ):
         # Conflict, the name already exists
         msg = 'Name already exists. See id: {0}'.format(cred.id)
         return jsonify({'error': msg, 'reference': cred.id}), 409
@@ -210,7 +212,7 @@ def create_blind_credential():
         cipher_version=data['cipher_version'],
         modified_by=authnz.get_logged_in_user(),
         documentation=data.get('documentation')
-    ).save(id__null=True)
+    ).save()
     # Make this the current revision
     cred = BlindCredential(
         id=id,
@@ -344,7 +346,7 @@ def update_blind_credential(id):
             cipher_version=update['cipher_version'],
             modified_by=authnz.get_logged_in_user(),
             documentation=update['documentation']
-        ).save(id__null=True)
+        ).save()
     except PutError as e:
         logger.error(e)
         return jsonify(
@@ -454,7 +456,7 @@ def revert_blind_credential_to_revision(id, to_revision):
             cipher_version=revert_credential.cipher_version,
             modified_by=authnz.get_logged_in_user(),
             documentation=revert_credential.documentation
-        ).save(id__null=True)
+        ).save()
     except PutError as e:
         logger.error(e)
         return jsonify(

diff --git a/confidant/routes/credentials.py b/confidant/routes/credentials.py
@@ -4,7 +4,7 @@
 import re
 import uuid
 
-from flask import blueprints, jsonify, request
+from flask import blueprints, escape, jsonify, request
 from pynamodb.exceptions import DoesNotExist, PutError
 
 from confidant import authnz, clients, settings
@@ -616,23 +616,28 @@ def create_credential():
     if not _check:
         return jsonify(ret), 400
     for cred in Credential.data_type_date_index.query(
-            'credential', name__eq=data['name']):
+            'credential', filter_condition=Credential.name == data['name']):
         # Conflict, the name already exists
         msg = 'Name already exists. See id: {0}'.format(cred.id)
         return jsonify({'error': msg, 'reference': cred.id}), 409
     # Generate an initial stable ID to allow name changes
     id = str(uuid.uuid4()).replace('-', '')
     # Try to save to the archive
     revision = 1
+    for key, value in credential_pairs.items():
+        value = escape(value)
+        credential_pairs[key] = value
     credential_pairs = json.dumps(credential_pairs)
     data_key = keymanager.create_datakey(encryption_context={'id': id})
     cipher = CipherManager(data_key['plaintext'], version=2)
     credential_pairs = cipher.encrypt(credential_pairs)
     last_rotation_date = misc.utcnow()
+
+    sanitized_name = escape(data['name'])
     cred = Credential(
         id='{0}-{1}'.format(id, revision),
         data_type='archive-credential',
-        name=data['name'],
+        name=sanitized_name,
         credential_pairs=credential_pairs,
         metadata=data.get('metadata'),
         revision=revision,
@@ -643,12 +648,12 @@ def create_credential():
         documentation=data.get('documentation'),
         tags=data.get('tags', []),
         last_rotation_date=last_rotation_date,
-    ).save(id__null=True)
+    ).save()
     # Make this the current revision
     cred = Credential(
         id=id,
         data_type='credential',
-        name=data['name'],
+        name=sanitized_name,
         credential_pairs=credential_pairs,
         metadata=data.get('metadata'),
         revision=revision,
@@ -882,7 +887,7 @@ def update_credential(id):
             documentation=update['documentation'],
             tags=update['tags'],
             last_rotation_date=update['last_rotation_date'],
-        ).save(id__null=True)
+        ).save()
     except PutError as e:
         logger.error(e)
         return jsonify({'error': 'Failed to add credential to archive.'}), 500
@@ -1056,7 +1061,7 @@ def revert_credential_to_revision(id, to_revision):
             documentation=revert_credential.documentation,
             tags=revert_credential.tags,
             last_rotation_date=revert_credential.last_rotation_date,
-        ).save(id__null=True)
+        ).save()
     except PutError as e:
         logger.error(e)
         return jsonify({'error': 'Failed to add credential to archive.'}), 500

diff --git a/confidant/routes/services.py b/confidant/routes/services.py
@@ -1,6 +1,6 @@
 import logging
 
-from flask import blueprints, jsonify, request
+from flask import blueprints, escape, jsonify, request
 from pynamodb.exceptions import DoesNotExist, PutError
 
 from confidant import authnz, settings
@@ -640,24 +640,29 @@ def map_service_credentials(id):
     # credential IDs.
     filtered_credential_ids = [cred.id for cred in credentials]
     # Try to save to the archive
+
+    if _service:
+        service_id = _service.id
+    else:
+        service_id = escape(id)
     try:
         Service(
-            id='{0}-{1}'.format(id, revision),
+            id='{0}-{1}'.format(service_id, revision),
             data_type='archive-service',
             credentials=filtered_credential_ids,
             blind_credentials=data.get('blind_credentials'),
             account=data.get('account'),
             enabled=data.get('enabled'),
             revision=revision,
             modified_by=authnz.get_logged_in_user()
-        ).save(id__null=True)
+        ).save()
     except PutError as e:
         logger.error(e)
         return jsonify({'error': 'Failed to add service to archive.'}), 500
 
     try:
         service = Service(
-            id=id,
+            id=service_id,
             data_type='service',
             credentials=filtered_credential_ids,
             blind_credentials=data.get('blind_credentials'),
@@ -811,7 +816,7 @@ def revert_service_to_revision(id, to_revision):
             enabled=revert_service.enabled,
             revision=new_revision,
             modified_by=authnz.get_logged_in_user()
-        ).save(id__null=True)
+        ).save()
     except PutError as e:
         logger.error(e)
         return jsonify({'error': 'Failed to add service to archive.'}), 500