Stealing of sub objects (potential security issue)

[stygmate]

Hi,

I have two models: ApplicationForm and Applicant. Applicants are children of ApplicationForm. ApplicationForms contain a foreign key to Users. When I make a request to the view using ApplicationForm’s serializer, putting an existent Applicant’s id, I can steal Applicant of another ApplicationForm.

How to write a validation for avoiding that ?

[stygmate]

seems to be related to: https://github.com/beda-software/drf-writable-nested/issues/73

[stygmate]

@ruscoder any idea ?

[stygmate]

corrected for me. I forked the lib. I added a parent object membership check for objects that already exists in the database. my patch is partial and can not be subject to a pull request. If anyone wants to do it I'll explain the correction.

[stygmate]

You'd better check this it's a real security issue !

[ruscoder]

@stygmate Hello! Thank you for your contribution, could you please fork and provide the example with the failing test?

[stygmate]

@ruscoder I will give you more details when i have time.

[gabn88]

It seems to me that this is outside of the scope of this package. You should add a filter on the (child) Serializer to filter out the possible choices. Since the exact way the filter will look like depends on the use case this up to the developer.

[serhiibeznisko]

It means anyone can update any related object just by having its pk value.

It seems to me like a real security issue that should be noted in the documentation. Though the package might not handle it, a developer should be aware of such behavior anyway.