philipn / django-rest-framework-filters

Better filtering for Django REST Framework
Other
847 stars 131 forks source link

Test complex ops backend against inner query encoding #318

Open rpkilby opened 5 years ago

rpkilby commented 5 years ago

The complex ops backend expects inner query strings to be URL encoded so that they may contain "unsafe" characters. If an inner query string contains any of the characters used by complex ops ()~|& and it is not URL encoded, then parsing on the backend could break.

Here's an "unsafe" example: (a=b) | (c=d())

Correct encoding would roughly look like:

Improper encoding in a single step would look like:

The backend should already function as expected, but tests should be added to prevent a regression. Should test both expected/malformed examples.

Also, need to check if there are cases where encoding the inner query string is optional when safe. e.g., is (a=1&b=2) & (c=3&d=4) safe? The inner querystring uses operators that the regex parses, but given that they're wrapped by parens, it should be fine?