From 96546af95f524fff0a48dbaea86d4b2dd3e4c3d6 Mon Sep 17 00:00:00 2001
From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Sun, 1 Sep 2024 17:29:26 -0700
Subject: [PATCH] Remove opt-in fields

---
 docs/api.md                                   | 16 --------
 ...custom-fields-lookup-dropdown.component.ts |  2 +-
 src/documents/filters.py                      | 39 -------------------
 src/paperless/settings.py                     |  4 --
 4 files changed, 1 insertion(+), 60 deletions(-)

diff --git a/docs/api.md b/docs/api.md
index 057ccaedb..2db23b477 100644
--- a/docs/api.md
+++ b/docs/api.md
@@ -319,22 +319,6 @@ including `gt` (>), `gte` (>=), `lt` (<), `lte` (<=), and `range`.
 Lastly, document link fields support a `contains` operator that behaves
 like a "is superset of" check.
 
-!!! warning
-
-    It is possible to do case-insensitive exact match (i.e., `iexact`) and
-    case-sensitive substring match (i.e., `contains`, `startswith`,
-    `endswith`) for string, URL, and monetary fields, but
-    [they may not work as expected on some database backends](https://docs.djangoproject.com/en/5.1/ref/databases/#substring-matching-and-case-sensitivity).
-
-    It is also possible to use regular expressions to match string, URL, and
-    monetary fields, but the syntax is database-dependent, and accepting
-    regular expressions from untrusted sources could make your instance
-    vulnerable to regular expression denial of service attacks.
-
-    For these reasons the above expressions are disabled by default.
-    If you understand the implications, you may enable them by uncommenting
-    `PAPERLESS_CUSTOM_FIELD_LOOKUP_OPT_IN` in your configuration file.
-
 ### `/api/search/autocomplete/`
 
 Get auto completions for a partial search term.
diff --git a/src-ui/src/app/components/common/custom-fields-lookup-dropdown/custom-fields-lookup-dropdown.component.ts b/src-ui/src/app/components/common/custom-fields-lookup-dropdown/custom-fields-lookup-dropdown.component.ts
index 229e59111..9af356aa8 100644
--- a/src-ui/src/app/components/common/custom-fields-lookup-dropdown/custom-fields-lookup-dropdown.component.ts
+++ b/src-ui/src/app/components/common/custom-fields-lookup-dropdown/custom-fields-lookup-dropdown.component.ts
@@ -152,7 +152,7 @@ export class CustomFieldsLookupDropdownComponent {
   }
 
   getOperatorsForField(field: CustomField): string[] {
-    return ['exact', 'in', 'isnull', 'exists']
+    return ['exact', 'in', 'icontains', 'isnull', 'exists']
     // TODO: implement this
   }
 }
diff --git a/src/documents/filters.py b/src/documents/filters.py
index 5288bd45c..d2232485a 100644
--- a/src/documents/filters.py
+++ b/src/documents/filters.py
@@ -239,15 +239,9 @@ class CustomFieldLookupParser:
     EXPR_BY_CATEGORY = {
         "basic": ["exact", "in", "isnull", "exists"],
         "string": [
-            "iexact",
-            "contains",
             "icontains",
-            "startswith",
             "istartswith",
-            "endswith",
             "iendswith",
-            "regex",
-            "iregex",
         ],
         "arithmetic": [
             "gt",
@@ -259,23 +253,6 @@ class CustomFieldLookupParser:
         "containment": ["contains"],
     }
 
-    # These string lookup expressions are problematic. We shall disable
-    # them by default unless the user explicitly opts in.
-    STR_EXPR_DISABLED_BY_DEFAULT = [
-        # SQLite: is case-sensitive outside the ASCII range
-        "iexact",
-        # SQLite: behaves the same as icontains
-        "contains",
-        # SQLite: behaves the same as istartswith
-        "startswith",
-        # SQLite: behaves the same as iendswith
-        "endswith",
-        # Syntax depends on database backends, can be exploited for ReDoS
-        "regex",
-        # Syntax depends on database backends, can be exploited for ReDoS
-        "iregex",
-    ]
-
     SUPPORTED_EXPR_CATEGORIES = {
         CustomField.FieldDataType.STRING: ("basic", "string"),
         CustomField.FieldDataType.URL: ("basic", "string"),
@@ -495,22 +472,6 @@ class CustomFieldLookupParser:
         # Check if the operator is supported for the current data_type.
         supported = False
         for category in self.SUPPORTED_EXPR_CATEGORIES[custom_field.data_type]:
-            if (
-                category == "string"
-                and op in self.STR_EXPR_DISABLED_BY_DEFAULT
-                and op not in settings.CUSTOM_FIELD_LOOKUP_OPT_IN
-            ):
-                raise serializers.ValidationError(
-                    [
-                        _(
-                            "{expr!r} is disabled by default because it does not "
-                            "behave consistently across database backends, or can "
-                            "cause security risks. If you understand the implications "
-                            "you may enabled it by adding it to "
-                            "`PAPERLESS_CUSTOM_FIELD_LOOKUP_OPT_IN`.",
-                        ).format(expr=op),
-                    ],
-                )
             if op in self.EXPR_BY_CATEGORY[category]:
                 supported = True
                 break
diff --git a/src/paperless/settings.py b/src/paperless/settings.py
index 851fe6217..2e2306e2a 100644
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@@ -1200,10 +1200,6 @@ EMPTY_TRASH_DELAY = max(__get_int("PAPERLESS_EMPTY_TRASH_DELAY", 30), 1)
 # custom_field_lookup Filter Settings                                         #
 ###############################################################################
 
-CUSTOM_FIELD_LOOKUP_OPT_IN = __get_list(
-    "PAPERLESS_CUSTOM_FIELD_LOOKUP_OPT_IN",
-    default=[],
-)
 CUSTOM_FIELD_LOOKUP_MAX_DEPTH = __get_int(
     "PAPERLESS_CUSTOM_FIELD_LOOKUP_MAX_DEPTH",
     default=10,