Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom input field names are not checked by backend #6

Open
wagner-intevation opened this issue Aug 21, 2024 · 0 comments
Open

Custom input field names are not checked by backend #6

wagner-intevation opened this issue Aug 21, 2024 · 0 comments

Comments

@wagner-intevation
Copy link
Member

The frontend shows custom input fields according to the configuration parameter custom_input_fields. On validation and submission, the data is sent to the backend as dict named custom, for example:

  "custom": {
    "custom_classification.type": "infected-system",
    "custom_extra.target_groups": [
      "Target group:Provider",
      "Target group:Government"
    ],
    "custom_classification.identifier": "test",
    "custom_feed.code": "oneshot",
    "custom_feed.name": "oneshot-csv",
    "custom_extra.template_prefix": "",
    "custom_source.fqdn": "example.com"
  }

The backend does not check if these field names are actually allowed, a user could add any fields.

As the users are generally trusted and the configuration parameter is more a help to the user than a restriction, this is not critical, but should be addressed at some point.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@wagner-intevation