Security: check channel ownership when setting check's channels via API

2020-02-19 12:19:51 +02:00 · 2020-02-19 12:19:51 +02:00 · fb527e4ed8
commit fb527e4ed8
parent 435659166c
3 changed files with 15 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -11,6 +11,7 @@ All notable changes to this project will be documented in this file.
 - The "render_docs" command checks if markdown and pygments is installed (#329)
 - The team size limit is applied to the n. of distinct users across all projects (#332)
 - Don't let SuspiciousOperation bubble up when validating channel ids in API
+- Security: check channel ownership when setting check's channels via API

 ## v1.13.0 - 2020-02-13

--- a/hc/api/tests/test_update_check.py
+++ b/hc/api/tests/test_update_check.py
@ -157,6 +157,18 @@ class UpdateCheckTestCase(BaseTestCase):
        self.check.refresh_from_db()
        self.assertEqual(self.check.channel_set.count(), 0)

+    def test_it_rejects_channel_from_another_project(self):
+        charlies_channel = Channel.objects.create(project=self.charlies_project)
+
+        code = str(charlies_channel.code)
+        r = self.post(self.check.code, {"api_key": "X" * 32, "channels": code})
+
+        self.assertEqual(r.status_code, 400)
+        self.assertEqual(r.json()["error"], "invalid channel identifier: " + code)
+
+        self.check.refresh_from_db()
+        self.assertEqual(self.check.channel_set.count(), 0)
+
    def test_it_rejects_non_uuid_channel_code(self):
        r = self.post(self.check.code, {"api_key": "X" * 32, "channels": "foo"})

--- a/hc/api/views.py
+++ b/hc/api/views.py
@ -100,6 +100,7 @@ def _update(check, spec):
            check.channel_set.clear()
        else:
            channels = []
+            channel_query = Channel.objects.filter(project=check.project)
            for chunk in spec["channels"].split(","):
                try:
                    chunk = uuid.UUID(chunk)
@ -107,8 +108,7 @@ def _update(check, spec):
                    raise BadChannelException("invalid channel identifier: %s" % chunk)

                try:
-                    channel = Channel.objects.get(code=chunk)
-                    channels.append(channel)
+                    channels.append(channel_query.get(code=chunk))
                except Channel.DoesNotExist:
                    raise BadChannelException("invalid channel identifier: %s" % chunk)