Resolve Application Errors discovered by ZAP

[jtwillis92]

Description: Provide a brief background and justification for this issue As of https://github.com/raft-tech/TANF-app/pull/1384 we are using the ZAP API scan for the backend. This utilizes the OpenAPI spec to crawl the app more effectively and has uncovered some issues.

The following ZAP output shows some endpoints that are returning 500 errors for certain operations - causing ZAP to trigger these alert rules:

WARN-NEW: A Server Error response code was returned by the server [100000] x 3 
    http://web:8080/v1/users/set_profile/ (500 Internal Server Error)
    http://web:8080/ (500 Internal Server Error)
    http://web:8080/?name=abc (500 Internal Server Error)
WARN-NEW: Unexpected Content-Type was returned [100001] x 127 
    http://web:8080/v1/users/set_profile/ (500 Internal Server Error)
WARN-NEW: Application Error Disclosure [90022] x 1 
    http://web:8080/v1/users/set_profile/ (500 Internal Server Error)
FAIL-NEW: Private IP Disclosure [2] x 1 
    http://web:8080/v1/users/set_profile/ (500 Internal Server Error)

Ideally, no 500 errors should be returned to the client so this will have positive impacts on the application resiliency as well as resolving these ZAP alerts.

An example HTML report with these errors can be found here.

Additionally, this screenshot from the Swagger UI shows the unexpected 500 error for set_profile:

Acceptance Criteria: Create a list of functional outcomes that must be achieved to complete this issue

• [x] 500 errors are not returned when making a GET request to the root URL
• [x] 500 errors are not returned when erroneous query parameters are passed to the root URL
• [x] 500 errors are not returned for PATCH requests to /v1/users/set_profile
• [x] Testing Checklist has been run and all tests pass
• [x] README is updated, if necessary

Tasks: Create a list of granular, specific work items that must be completed to deliver the desired outcomes of this issue

• [x] Update set_profile method on User viewset such that it does not return 500 errors from user interaction.
• [x] Update the root URL handler such that it does not return 500 errors on requests with or without query parameters.
• [x] Run Testing Checklist and confirm all tests pass

Notes: Add additional useful information, such as related issues and functionality that isn't covered by this specific issue, and other considerations that will be helpful for anyone reading this

Supporting Documentation: Please include any relevant log snippets/files/screen shots

Open Questions: Please include any questions or decisions that must be made before beginning work or to confidently call this issue complete

[andrew-jameson]

Easily reproducible on raft-tdp-main:

Message-ID: <163657007270.31.2267320914155795949@808a898857f5>

Internal Server Error: /v1/users/set_profile/

AssertionError at /v1/users/set_profile/
The `.update()` method does not support writable nested fields by default.
Write an explicit `.update()` method for serializer `tdpservice.users.seria=
lizers.UserProfileSerializer`, or set `read_only=3DTrue` on nested serializ=
er fields.

Request Method: PATCH
Request URL: http://web:8080/v1/users/set_profile/
Django Version: 3.2.5
Python Executable: /usr/local/bin/python
Python Version: 3.8.9
Python Path: ['/tdpapp', '/usr/local/bin', '/usr/local/lib/python38.zip', '=
/usr/local/lib/python3.8', '/usr/local/lib/python3.8/lib-dynload', '/usr/lo=
cal/lib/python3.8/site-packages']
Server time: Wed, 10 Nov 2021 18:47:52 +0000
Installed Applications:
('colorfield',
 'admin_interface',
 'django.contrib.admin',
 'django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'rest_framework',
 'rest_framework.authtoken',
 'django_filters',
 'django_admin_logs',
 'corsheaders',
 'django_extensions',
 'drf_yasg',
 'storages',
 'tdpservice.core.apps.CoreConfig',
 'tdpservice.users',
 'tdpservice.stts',
 'tdpservice.data_files',
 'tdpservice.security')
Installed Middleware:
('django.middleware.security.SecurityMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware',
 'corsheaders.middleware.CorsMiddleware',
ERROR Internal Server Error: /v1/users/set_profile/
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/django/core/handlers/exception.py", line 47, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.8/site-packages/django/core/handlers/base.py", line 181, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/usr/local/lib/python3.8/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
    return view_func(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/rest_framework/viewsets.py", line 125, in view
    return self.dispatch(request, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", line 509, in dispatch
    response = self.handle_exception(exc)
  File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", line 469, in handle_exception
    self.raise_uncaught_exception(exc)
  File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", line 480, in raise_uncaught_exception
    raise exc
  File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", line 506, in dispatch
    response = handler(request, *args, **kwargs)
  File "/tdpapp/tdpservice/users/views.py", line 47, in set_profile
    serializer.save()
  File "/usr/local/lib/python3.8/site-packages/rest_framework/serializers.py", line 200, in save
    self.instance = self.update(self.instance, validated_data)
  File "/tdpapp/tdpservice/users/serializers.py", line 83, in update
    return super().update(instance, validated_data)
  File "/usr/local/lib/python3.8/site-packages/rest_framework/serializers.py", line 969, in update
    raise_errors_on_nested_writes('update', self, validated_data)
  File "/usr/local/lib/python3.8/site-packages/rest_framework/serializers.py", line 790, in raise_errors_on_nested_writes
    assert not any(
 'tdpservice.users.api.middleware.AuthUpdateMiddleware',
 'csp.middleware.CSPMiddleware')

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/django/core/handlers/excepti=
on.py", line 47, in inner
    response =3D get_response(request)
  File "/usr/local/lib/python3.8/site-packages/django/core/handlers/base.py=
", line 181, in _get_response
    response =3D wrapped_callback(request, *callback_args, **callback_kwarg=
s)
  File "/usr/local/lib/python3.8/site-packages/django/views/decorators/csrf=
.py", line 54, in wrapped_view
    return view_func(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/rest_framework/viewsets.py",=
 line 125, in view
AssertionError: The `.update()` method does not support writable nested fields by default.
Write an explicit `.update()` method for serializer `tdpservice.users.serializers.UserProfileSerializer`, or set `read_only=True` on nested serializer fields.
    return self.dispatch(request, *args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", li=
ne 509, in dispatch
    response =3D self.handle_exception(exc)
  File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", li=
ne 469, in handle_exception
    self.raise_uncaught_exception(exc)
  File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", li=
ne 480, in raise_uncaught_exception
    raise exc
  File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", li=
ne 506, in dispatch
    response =3D handler(request, *args, **kwargs)
  File "/tdpapp/tdpservice/users/views.py", line 47, in set_profile
    serializer.save()
  File "/usr/local/lib/python3.8/site-packages/rest_framework/serializers.p=
y", line 200, in save
    self.instance =3D self.update(self.instance, validated_data)
  File "/tdpapp/tdpservice/users/serializers.py", line 83, in update
    return super().update(instance, validated_data)
  File "/usr/local/lib/python3.8/site-packages/rest_framework/serializers.p=
y", line 969, in update
    raise_errors_on_nested_writes('update', self, validated_data)
  File "/usr/local/lib/python3.8/site-packages/rest_framework/serializers.p=
y", line 790, in raise_errors_on_nested_writes
    assert not any(

Exception Type: AssertionError at /v1/users/set_profile/
Exception Value: The `.update()` method does not support writable nested fi=
elds by default.
Write an explicit `.update()` method for serializer `tdpservice.users.seria=
lizers.UserProfileSerializer`, or set `read_only=3DTrue` on nested serializ=
er fields.
Request information:
USER: AnonymousUser

GET: No GET data

POST: No POST data

FILES: No FILES data

COOKIES: No cookie data

[valcollignon]

demo by @jtwillis92 12.7.21