nshafer
commented
3 years ago Thank you for the detailed report. I will look into as soon as I can.
Closed frossigneux closed 3 years ago
nshafer
commented
3 years ago Thank you for the detailed report. I will look into as soon as I can.
nshafer
commented
3 years ago Thanks for catching this... I have never used my own module with any writable DRF APIs, so just hadn't dog-fooded this particular issue, and haven't touched the DRF stuff much since the original release. I have modified HashidSerializerCharField to now disallow int lookups if allow_int_lookup is false.
BTW, in your example you don't pass source_field to HashidSerializerCharField in your PrimaryKeyRelatedField. Probably just in your example, but make sure you're doing such in your actual code per https://github.com/nshafer/django-hashid-field#primary-key-related-fields.
Thanks!
Hello,
I have observed that the serializer converts a int parameter to object, even if int lookup is forbidden. My serializer is:
foo = serializers.PrimaryKeyRelatedField(pk_field=HashidSerializerCharField(), queryset=Foo.objects.all(), required=False)Then I have a validate method:
def validate_foo(self, value)Both integer and string parameter triggers the validate_foo method with the retrieved object in argument. However, HASHID_FIELD_ALLOW_INT_LOOKUP is False.
This leads to a security hole, where a user can retrieve the integer behind the obfuscated id of its objects.