Parse input of search filters to prevent errors based on invalid regex, fixes #113

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
2025-06-21 01:48:21 +02:00 · 2022-03-10 16:11:01 +01:00
parent b8f81048a5
commit 1a258dfe9e
10 changed files with 93 additions and 38 deletions
--- a/apps/wei/api/views.py
+++ b/apps/wei/api/views.py
@ -2,7 +2,9 @@
 # SPDX-License-Identifier: GPL-3.0-or-later

 from django_filters.rest_framework import DjangoFilterBackend
-from rest_framework.filters import OrderingFilter, SearchFilter
+from rest_framework.filters import OrderingFilter
+
+from api.filters import RegexSafeSearchFilter
 from api.viewsets import ReadProtectedModelViewSet

 from .serializers import WEIClubSerializer, BusSerializer, BusTeamSerializer, WEIRoleSerializer, \
@ -18,7 +20,7 @@ class WEIClubViewSet(ReadProtectedModelViewSet):
    """
    queryset = WEIClub.objects.order_by('id')
    serializer_class = WEIClubSerializer
-    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filter_backends = [DjangoFilterBackend, RegexSafeSearchFilter]
    filterset_fields = ['name', 'year', 'date_start', 'date_end', 'email', 'note__alias__name',
                        'note__alias__normalized_name', 'parent_club', 'parent_club__name', 'require_memberships',
                        'membership_fee_paid', 'membership_fee_unpaid', 'membership_duration', 'membership_start',
@ -34,7 +36,7 @@ class BusViewSet(ReadProtectedModelViewSet):
    """
    queryset = Bus.objects.order_by('id')
    serializer_class = BusSerializer
-    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filter_backends = [DjangoFilterBackend, RegexSafeSearchFilter]
    filterset_fields = ['name', 'wei', 'description', ]
    search_fields = ['$name', '$wei__name', '$description', ]

@ -47,7 +49,7 @@ class BusTeamViewSet(ReadProtectedModelViewSet):
    """
    queryset = BusTeam.objects.order_by('id')
    serializer_class = BusTeamSerializer
-    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filter_backends = [DjangoFilterBackend, RegexSafeSearchFilter]
    filterset_fields = ['name', 'bus', 'color', 'description', 'bus__wei', ]
    search_fields = ['$name', '$bus__name', '$bus__wei__name', '$description', ]

@ -60,7 +62,7 @@ class WEIRoleViewSet(ReadProtectedModelViewSet):
    """
    queryset = WEIRole.objects.order_by('id')
    serializer_class = WEIRoleSerializer
-    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filter_backends = [DjangoFilterBackend, RegexSafeSearchFilter]
    filterset_fields = ['name', 'permissions', 'memberships', ]
    search_fields = ['$name', ]

@ -73,7 +75,7 @@ class WEIRegistrationViewSet(ReadProtectedModelViewSet):
    """
    queryset = WEIRegistration.objects.order_by('id')
    serializer_class = WEIRegistrationSerializer
-    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filter_backends = [DjangoFilterBackend, RegexSafeSearchFilter]
    filterset_fields = ['user', 'user__username', 'user__first_name', 'user__last_name', 'user__email',
                        'user__note__alias__name', 'user__note__alias__normalized_name', 'wei', 'wei__name',
                        'wei__email', 'wei__year', 'soge_credit', 'caution_check', 'birth_date', 'gender',
@ -92,7 +94,7 @@ class WEIMembershipViewSet(ReadProtectedModelViewSet):
    """
    queryset = WEIMembership.objects.order_by('id')
    serializer_class = WEIMembershipSerializer
-    filter_backends = [DjangoFilterBackend, OrderingFilter, SearchFilter]
+    filter_backends = [DjangoFilterBackend, OrderingFilter, RegexSafeSearchFilter]
    filterset_fields = ['club__name', 'club__email', 'club__note__alias__name',
                        'club__note__alias__normalized_name', 'user__username', 'user__last_name',
                        'user__first_name', 'user__email', 'user__note__alias__name',