bugfix/#sonarcloud: Change this code to not perform redirects based on user-controlled data.

2026-02-06 14:56:47 +00:00 · 2021-02-17 13:05:30 +01:00 · 2021-02-17 13:05:30 +01:00 · 1b97cadc5c
commit 1b97cadc5c
parent 477a37131f
3 changed files with 11 additions and 7 deletions
--- a/apimanager/entitlementrequests/templates/entitlementrequests/index.html
+++ b/apimanager/entitlementrequests/templates/entitlementrequests/index.html
@ -43,7 +43,6 @@
 				<td>
 					<form action="{% url 'entitlement-request-delete' entitlementrequest.entitlement_request_id %}" method="post">
 						{% csrf_token %}
-						<input type="hidden" name="next" value="{{ request.path }}" />
 						<input type="hidden" name="role_name" value="{{ entitlementrequest.role_name }}" />
 						<button type="submit" class="btn btn-primary btn-sm btn-red">Reject</button>
 					</form>
@ -51,7 +50,6 @@
 				<td>
 					<form action="{% url 'entitlement-request-accept' entitlementrequest.user.user_id %}" method="post">
 						{% csrf_token %}
-						<input type="hidden" name="next" value="{{ request.path }}" />
 						<input type="hidden" name="entitlement_request_id" value="{{ entitlementrequest.entitlement_request_id }}" />
 						<input type="hidden" name="bank_id" value="{{ entitlementrequest.bank_id }}" />
 						<input type="hidden" name="role_name" value="{{ entitlementrequest.role_name }}" />
--- a/apimanager/entitlementrequests/views.py
+++ b/apimanager/entitlementrequests/views.py
@ -73,8 +73,7 @@ class RejectEntitlementRequest(LoginRequiredMixin, View):
        except:
            messages.error(self.request, "Unknown Error")

-        redirect_url = request.POST.get('next', reverse('entitlementrequests-index'))
-        return HttpResponseRedirect(redirect_url)
+        return HttpResponseRedirect(reverse('entitlementrequests-index'))


 class AcceptEntitlementRequest(LoginRequiredMixin, View):
@ -115,5 +114,4 @@ class AcceptEntitlementRequest(LoginRequiredMixin, View):
        except:
            messages.error(self.request, "Unknown Error")

-        redirect_url = request.POST.get('next', reverse('entitlementrequests-index'))
-        return HttpResponseRedirect(redirect_url)
+        return HttpResponseRedirect(reverse('entitlementrequests-index'))
--- a/apimanager/users/views.py
+++ b/apimanager/users/views.py
@ -276,5 +276,13 @@ class DeleteEntitlementView(LoginRequiredMixin, View):
        except:
            messages.error(self.request, 'Unknown Error')

-        redirect_url = request.POST.get('next', reverse('users-index'))
+        # from sonarcloud: Change this code to not perform redirects based on user-controlled data.    
+        redirect_url_from_gui = request.POST.get('next', reverse('users-index'))
+        if "/users/all/user_id/" in str(redirect_url_from_gui):
+            redirect_url = reverse('users-detail',kwargs={"user_id":kwargs['user_id']})
+        elif ("/users/myuser/user_id/" in str(redirect_url_from_gui)):
+            redirect_url = reverse('my-user-detail',kwargs={"user_id":kwargs['user_id']})
+        else:
+             redirect_url = redirect_url_from_gui
+        
        return HttpResponseRedirect(redirect_url)