Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Custom input field names are not checked by backend #6

Open
wagner-intevation opened this issue Aug 21, 2024 · 0 comments
Open

Custom input field names are not checked by backend #6

wagner-intevation opened this issue Aug 21, 2024 · 0 comments

Comments

@wagner-intevation
Copy link
Member

The frontend shows custom input fields according to the configuration parameter custom_input_fields. On validation and submission, the data is sent to the backend as dict named custom, for example:

  "custom": {
    "custom_classification.type": "infected-system",
    "custom_extra.target_groups": [
      "Target group:Provider",
      "Target group:Government"
    ],
    "custom_classification.identifier": "test",
    "custom_feed.code": "oneshot",
    "custom_feed.name": "oneshot-csv",
    "custom_extra.template_prefix": "",
    "custom_source.fqdn": "example.com"
  }

The backend does not check if these field names are actually allowed, a user could add any fields.

As the users are generally trusted and the configuration parameter is more a help to the user than a restriction, this is not critical, but should be addressed at some point.
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@wagner-intevation