Parse input of search filters to prevent errors based on invalid regex, fixes #113

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>

apps/api/filters.py

@@ -0,0 +1,42 @@
+import re
+from functools import lru_cache
+
+from rest_framework.filters import SearchFilter
+
+
+class RegexSafeSearchFilter(SearchFilter):
+    @lru_cache
+    def validate_regex(self, search_term) -> bool:
+        try:
+            re.compile(search_term)
+            return True
+        except re.error:
+            return False
+
+    def get_search_fields(self, view, request):
+        """
+        Ensure that given regex are valid.
+        If not, we consider that the user is trying to search by substring.
+        """
+        search_fields = super().get_search_fields(view, request)
+        search_terms = self.get_search_terms(request)
+
+        for search_term in search_terms:
+            if not self.validate_regex(search_term):
+                # Invalid regex. We assume we don't query by regex but by substring.
+                search_fields = [f.replace('$', '') for f in search_fields]
+                break
+
+        return search_fields
+
+    def get_search_terms(self, request):
+        """
+        Ensure that search field is a valid regex query. If not, we remove extra characters.
+        """
+        terms = super().get_search_terms(request)
+        if not all(self.validate_regex(term) for term in terms):
+            # Invalid regex. If a ^ is prefixed to the search term, we remove it.
+            terms = [term[1:] if term[0] == '^' else term for term in terms]
+            # Same for dollars.
+            terms = [term[:-1] if term[-1] == '$' else term for term in terms]
+        return terms

apps/api/tests.py

@@ -12,11 +12,13 @@ from django.contrib.contenttypes.models import ContentType
 from django.db.models.fields.files import ImageFieldFile
 from django.test import TestCase
 from django_filters.rest_framework import DjangoFilterBackend
+from phonenumbers import PhoneNumber
+from rest_framework.filters import OrderingFilter
+
+from api.filters import RegexSafeSearchFilter
 from member.models import Membership, Club
 from note.models import NoteClub, NoteUser, Alias, Note
 from permission.models import PermissionMask, Permission, Role
-from phonenumbers import PhoneNumber
-from rest_framework.filters import SearchFilter, OrderingFilter
 
 from .viewsets import ContentTypeViewSet, UserViewSet
 
@@ -87,7 +89,7 @@ class TestAPI(TestCase):
                     resp = self.client.get(url + f"?ordering=-{field}")
                     self.assertEqual(resp.status_code, 200)
 
-            if SearchFilter in backends:
+            if RegexSafeSearchFilter in backends:
                 # Basic search
                 for field in viewset.search_fields:
                     obj = self.fix_note_object(obj, field)

apps/api/viewsets.py

@@ -6,11 +6,11 @@ from django_filters.rest_framework import DjangoFilterBackend
 from django.db.models import Q
 from django.conf import settings
 from django.contrib.auth.models import User
-from rest_framework.filters import SearchFilter
 from rest_framework.viewsets import ReadOnlyModelViewSet, ModelViewSet
 from permission.backends import PermissionBackend
 from note.models import Alias
 
+from .filters import RegexSafeSearchFilter
 from .serializers import UserSerializer, ContentTypeSerializer
 
 
@@ -107,6 +107,6 @@ class ContentTypeViewSet(ReadOnlyModelViewSet):
     """
     queryset = ContentType.objects.order_by('id')
     serializer_class = ContentTypeSerializer
-    filter_backends = [DjangoFilterBackend, SearchFilter]
+    filter_backends = [DjangoFilterBackend, RegexSafeSearchFilter]
     filterset_fields = ['id', 'app_label', 'model', ]
     search_fields = ['$app_label', '$model', ]