From fd13f0a71d553a8e928a8cda3285e98e7de6d101 Mon Sep 17 00:00:00 2001
From: Dariusz Kedzierski <dkedzierski@syncad.com>
Date: Fri, 6 Nov 2020 22:32:57 +0100
Subject: [PATCH] Cast all follow name data to string. Should protect against
setting non string data types as names in follower and following
---
hive/indexer/follow.py | 14 ++++
.../follow_op/mock_block_data_follow.json | 66 +++++++++++++++++++
2 files changed, 80 insertions(+)
diff --git a/hive/indexer/follow.py b/hive/indexer/follow.py
index dfbe74258..f01028b1a 100644
--- a/hive/indexer/follow.py
+++ b/hive/indexer/follow.py
@@ -1,6 +1,11 @@
"""Handles follow operations."""
import logging
+<<<<<<< HEAD
+=======
+from time import perf_counter as perf
+from json import dumps
+>>>>>>> Cast all follow name data to string. Should protect against setting non string data types as names in follower and following
from funcy.seqs import first
from hive.db.adapter import Db
@@ -82,6 +87,15 @@ class Follow(DbAdapterHolder):
return None
op['following'] = op['following'] if isinstance(op['following'], list) else [op['following']]
+
+ # additional layer of protection against putting complex data types as user names
+ as_str = []
+ for following in op['following']:
+ if isinstance(following, list) or isinstance(following, dict):
+ as_str.append(dumps(following))
+ else:
+ as_str.append(str(following))
+ op['following'] = as_str
# mimic original behaviour
# if following name does not exist do not process it: basically equal to drop op for single following entry
diff --git a/mock_data/block_data/follow_op/mock_block_data_follow.json b/mock_data/block_data/follow_op/mock_block_data_follow.json
index d2a753282..45dd18a6f 100644
--- a/mock_data/block_data/follow_op/mock_block_data_follow.json
+++ b/mock_data/block_data/follow_op/mock_block_data_follow.json
@@ -453,6 +453,72 @@
"id": "follow",
"json": "[\"follow\",{\"follower\":\"tester1\",\"following\":[\"tester7\", \"<script>alert('hello world');</script>\"],\"what\":[\"blog\"]}]"
}
+ },
+ {
+ "type": "custom_json_operation",
+ "value": {
+ "required_auths": [],
+ "required_posting_auths": [
+ "{\"tester1\":\"tester1\"}"
+ ],
+ "id": "follow",
+ "json": "[\"follow\",{\"follower\":{\"tester1\":\"tester1\"},\"following\":{\"tester3\":\"tester4\"},\"what\":[\"blog\"]}]"
+ }
+ },
+ {
+ "type": "custom_json_operation",
+ "value": {
+ "required_auths": [],
+ "required_posting_auths": [
+ "tester1"
+ ],
+ "id": "follow",
+ "json": "[\"follow\",{\"follower\":\"tester1\",\"following\":{\"tester3\":\"tester4\"},\"what\":[\"blog\"]}]"
+ }
+ },
+ {
+ "type": "custom_json_operation",
+ "value": {
+ "required_auths": [],
+ "required_posting_auths": [
+ "tester1"
+ ],
+ "id": "follow",
+ "json": "[\"follow\",{\"follower\":\"tester1\",\"following\":[\"tester3\", [\"tester4\"]],\"what\":[\"blog\"]}]"
+ }
+ },
+ {
+ "type": "custom_json_operation",
+ "value": {
+ "required_auths": [],
+ "required_posting_auths": [
+ "tester1"
+ ],
+ "id": "follow",
+ "json": "[\"follow\",{\"follower\":[\"tester1\"],\"following\":[\"tester3\", [\"tester4\"]],\"what\":[\"blog\"]}]"
+ }
+ },
+ {
+ "type": "custom_json_operation",
+ "value": {
+ "required_auths": [],
+ "required_posting_auths": [
+ "[\"tester1\"]"
+ ],
+ "id": "follow",
+ "json": "[\"follow\",{\"follower\":[\"tester1\"],\"following\":[\"tester3\", {\"tester4\":\"tester5\"}],\"what\":[\"blog\"]}]"
+ }
+ },
+ {
+ "type": "custom_json_operation",
+ "value": {
+ "required_auths": [],
+ "required_posting_auths": [
+ "tester1"
+ ],
+ "id": "follow",
+ "json": "[\"follow\",{\"follower\":\"tester1\",\"following\":[\"tester3\", {\"tester4\":\"tester5\"}],\"what\":[\"blog\"]}]"
+ }
}
]
}
--
GitLab