From 85b180c9fc7e774c0245001f1d09faa6577538e7 Mon Sep 17 00:00:00 2001
From: Moritz Pflanzer <moritz@chickadee-engineering.com>
Date: Mon, 1 Jan 2024 18:22:36 +0100
Subject: [PATCH] Fix server-side XSS security warning

---
 src/documents/tests/test_api_profile.py | 13 +++++++++++--
 src/paperless/views.py                  | 14 +++++++++-----
 2 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/src/documents/tests/test_api_profile.py b/src/documents/tests/test_api_profile.py
index 8b7dfb0e4..e591a1c53 100644
--- a/src/documents/tests/test_api_profile.py
+++ b/src/documents/tests/test_api_profile.py
@@ -136,9 +136,18 @@ class TestApiProfile(DirectoriesMixin, APITestCase):
         WHEN:
             - API call is made to disconnect a social account
         THEN:
-            - Social account is deleted from the user
+            - Social account is deleted from the user or request fails
         """
 
+        # Test with invalid id
+        response = self.client.post(
+            f"{self.ENDPOINT}disconnect_social_account/",
+            {"id": -1},
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+
+        # Test with valid id
         social_account_id = self.user.socialaccount_set.all()[0].pk
 
         response = self.client.post(
@@ -147,7 +156,7 @@ class TestApiProfile(DirectoriesMixin, APITestCase):
         )
 
         self.assertEqual(response.status_code, status.HTTP_200_OK)
-        self.assertEqual(response.data, str(social_account_id))
+        self.assertEqual(response.data, social_account_id)
 
         self.assertEqual(
             len(self.user.socialaccount_set.filter(pk=social_account_id)),
diff --git a/src/paperless/views.py b/src/paperless/views.py
index bf9fa8b07..97018b36e 100644
--- a/src/paperless/views.py
+++ b/src/paperless/views.py
@@ -2,11 +2,13 @@ import os
 from collections import OrderedDict
 
 from allauth.socialaccount.adapter import get_adapter
+from allauth.socialaccount.models import SocialAccount
 from django.contrib import messages
 from django.contrib.auth.models import Group
 from django.contrib.auth.models import User
 from django.db.models.functions import Lower
 from django.http import HttpResponse
+from django.http import HttpResponseBadRequest
 from django.views.generic import View
 from django_filters.rest_framework import DjangoFilterBackend
 from rest_framework.authtoken.models import Token
@@ -183,11 +185,13 @@ class DisconnectSocialAccountView(GenericAPIView):
     def post(self, request, *args, **kwargs):
         user = self.request.user
 
-        user.socialaccount_set.get(pk=request.data["id"]).delete()
-
-        return Response(
-            request.data["id"],
-        )
+        try:
+            account = user.socialaccount_set.get(pk=request.data["id"])
+            account_id = account.id
+            account.delete()
+            return Response(account_id)
+        except SocialAccount.DoesNotExist:
+            return HttpResponseBadRequest("Social account not found")
 
 
 class SocialAccountProvidersView(APIView):