misc: reject autocomplete requests to empty URL (#40378)

2020-03-03 14:18:58 +01:00 · 2020-03-03 14:18:58 +01:00 · ec3370d6c7
parent 9e11f47074
commit ec3370d6c7
2 changed files with 22 additions and 0 deletions
--- a/tests/test_form_pages.py
+++ b/tests/test_form_pages.py
@ -5746,6 +5746,26 @@ remote.example.net = 1234
    resp = resp.form.submit('submit') # -> submit
    assert formdef.data_class().select()[0].data['0'] is None

+    # check there's no crash if url is empty
+    data_source.data_source = {'type': 'json', 'value': '{% if 0 %}http://remote.example.net/json{% endif %}'}
+    data_source.store()
+
+    app = get_app(pub)
+    with mock.patch('wcs.qommon.misc.urlopen') as urlopen:
+        data = {'data': [{'id': '1', 'text': 'hello', 'extra': 'foo'},
+                         {'id': '2', 'text': 'world', 'extra': 'bar'}]}
+        urlopen.side_effect = lambda *args: StringIO(json.dumps(data))
+        resp = app.get('/test/')
+        assert urlopen.call_count == 0
+        pq = resp.pyquery.remove_namespaces()
+        select2_url = pq('select').attr['data-select2-url']
+
+    with mock.patch('wcs.qommon.misc.urlopen') as urlopen:
+        data = {'data': [{'id': '1', 'text': 'hello', 'extra': 'foo'}]}
+        urlopen.side_effect = lambda *args: StringIO(json.dumps(data))
+        resp2 = app.get(select2_url + '?q=hell', status=403)
+        assert urlopen.call_count == 0
+

 def test_item_field_autocomplete_jsonp_source(http_requests, pub):
    user = create_user(pub)
--- a/wcs/data_sources.py
+++ b/wcs/data_sources.py
@ -340,6 +340,8 @@ class NamedDataSource(XmlStorableObject):
        if Template.is_template_string(url):
            vars = get_publisher().substitutions.get_context_variables(mode='lazy')
            url = get_variadic_url(url, vars)
+        if not url:
+            return ''
        if not '?' in url:
            url += '?' + self.query_parameter + '='
        else: