Fix server-side XSS security warning

2024-01-01 18:22:36 +01:00 · 2024-01-01 18:22:36 +01:00 · 85b180c9fc
commit 85b180c9fc
parent 1066c1bde1
2 changed files with 20 additions and 7 deletions
--- a/src/documents/tests/test_api_profile.py
+++ b/src/documents/tests/test_api_profile.py
@ -136,9 +136,18 @@ class TestApiProfile(DirectoriesMixin, APITestCase):
        WHEN:
            - API call is made to disconnect a social account
        THEN:
-            - Social account is deleted from the user
+            - Social account is deleted from the user or request fails
        """

+        # Test with invalid id
+        response = self.client.post(
+            f"{self.ENDPOINT}disconnect_social_account/",
+            {"id": -1},
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+
+        # Test with valid id
        social_account_id = self.user.socialaccount_set.all()[0].pk

        response = self.client.post(
@ -147,7 +156,7 @@ class TestApiProfile(DirectoriesMixin, APITestCase):
        )

        self.assertEqual(response.status_code, status.HTTP_200_OK)
-        self.assertEqual(response.data, str(social_account_id))
+        self.assertEqual(response.data, social_account_id)

        self.assertEqual(
            len(self.user.socialaccount_set.filter(pk=social_account_id)),
--- a/src/paperless/views.py
+++ b/src/paperless/views.py
@ -2,11 +2,13 @@ import os
 from collections import OrderedDict

 from allauth.socialaccount.adapter import get_adapter
+from allauth.socialaccount.models import SocialAccount
 from django.contrib import messages
 from django.contrib.auth.models import Group
 from django.contrib.auth.models import User
 from django.db.models.functions import Lower
 from django.http import HttpResponse
+from django.http import HttpResponseBadRequest
 from django.views.generic import View
 from django_filters.rest_framework import DjangoFilterBackend
 from rest_framework.authtoken.models import Token
@ -183,11 +185,13 @@ class DisconnectSocialAccountView(GenericAPIView):
    def post(self, request, *args, **kwargs):
        user = self.request.user

-        user.socialaccount_set.get(pk=request.data["id"]).delete()
-
-        return Response(
-            request.data["id"],
-        )
+        try:
+            account = user.socialaccount_set.get(pk=request.data["id"])
+            account_id = account.id
+            account.delete()
+            return Response(account_id)
+        except SocialAccount.DoesNotExist:
+            return HttpResponseBadRequest("Social account not found")


 class SocialAccountProvidersView(APIView):