encode/django-rest-frameworkPublic

NotificationsYou must be signed in to change notification settings
Fork7k
Star29.8k

Do not list related field choices in OPTIONS requests.#4021

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

Merged

lovelydinosaur merged 1 commit intoencode:masterfromcharettes:related-field-choices-metadata

Jun 1, 2016

Merged

Do not list related field choices in OPTIONS requests.#4021

lovelydinosaur merged 1 commit intoencode:masterfromcharettes:related-field-choices-metadata

Jun 1, 2016

Conversation

Copy link

Contributor

charettes commentedMar 29, 2016

Listing related fields can leak sensitive data and result in poor performance
when dealing with large result sets.

Large result sets should be exposed by a dedicated endpoint instead.

charettes changed the title~~Fixed #3751 -- Stopped listing all related field choices through metadata.~~Fixed #3751 -- Stopped listing related field choices through metadata.

Mar 29, 2016

Fixedencode#3751-- Stopped listing related field choices through me…

a6732e2

…tadata.Listing related fields can leak sensitive data and result in poor performancewhen dealing with large result sets.Large result sets should be exposed by a dedicated endpoint instead.

charettes force-pushed therelated-field-choices-metadata branch from69c69b8 toa6732e2Compare

March 29, 2016 17:29

xordoquy added the Enhancement label

Mar 29, 2016

Copy link

Contributor

xordoquy commentedMar 29, 2016

I'm tempted to move this through the deprecation path.
The alternative would be to consider this a security improvement and go through in which case I'd probably add an option to turn this off and keep compatibility.

xordoquy added this to the3.4.0 Release milestone

Mar 29, 2016

Copy link

ContributorAuthor

charettes commentedMar 29, 2016

I have deprecation path in mind, I'll submit it in a few moment.

Copy link

Contributor

xordoquy commentedMar 29, 2016

Thanks !

charettes mentioned this pull request

Mar 30, 2016

Allowed Field to specify their own metadata.#4022

Closed

Copy link

Contributor

lovelydinosaur commentedMar 30, 2016

I'd probably be okay with us simply dropping this in a median version, so long as we call it out.
We don't have any strict contract around what to expect fromOPTIONS responses, so...

Copy link

Contributor

craigds commentedApr 22, 2016

Could this be merged? This fixes#3751 which is a security (and major performance) issue so seems important to get it in.

lovelydinosaur merged commit014e24b intoencode:master

Jun 1, 2016

lovelydinosaur changed the title~~Fixed #3751 -- Stopped listing related field choices through metadata.~~Do not list related field choices in OPTIONS requests.

Jun 1, 2016

Copy link

Contributor

lovelydinosaur commentedJun 1, 2016

Great stuff, thank you!

lovelydinosaur mentioned this pull request

Jun 1, 2016

OPTIONS fetches and shows all possible foreign keys in choices field#3751

Closed

charettes deleted the related-field-choices-metadata branch

June 1, 2016 15:46

Copy link

Contributor

silviogutierrez commentedJun 8, 2016

Hey guys,

Fantastic library and great work overall. For those that actuallydo use this feature, will there be an opt-in workaround[1]? I looked at the merge commit and it seems like a blanket check for all related fields.

It's pretty convenient to build a form off a single OPTIONS request.

Thanks for all your work,

Silvio

[1]: Mandatory:https://xkcd.com/1172/

Copy link

Contributor

lovelydinosaur commentedJun 8, 2016

You'd need to use a custom metadata class, overridingget_field_info so that you have the 3.3.x behavior, not the 3.4.x behavior. We should include that in the release notes.