Python/Django Class based saving - worried about security












0












$begingroup$


I'm creating multiple django apps with vote possibilities. So I made an app vote to handle all this votes. In my templates I'm including an ajax-function named vote. To know on which model I'm liking I add app_name and model_name to the vote function (I made some templatetags to get these values). In my views.py I use model = apps.get_model(app_name, model_name) to get the model class. But now I'm worried a hacker could do something with the app_name and model_name values.



Here are my files:



vote/ajax.html (only function):



function vote(bool){
$.ajax({
type: "post",
timeout: 8000,
url: '{% url 'ajax:vote' %}',
dataType: 'json',
data: {
'csrfmiddlewaretoken': getCookie('csrftoken'),
'model_name': "{{ model|get_model_name }}",
'app_name': "{{ model|get_app_name }}",
'voted': bool,
'id': "{{ model.id }}",
},
success: function(data) {
if (!data.error){
if (bool){
$(".half .fa-thumbs-up").removeClass("far").addClass("fas");
$(".half #count").text(parseInt($(".half #count").text()) + 1);
} else {
$(".half .fa-thumbs-down").removeClass("far").addClass("fas");
$(".half #count").text(parseInt($(".half #count").text()) - 1);
}
}
}
});
}


ajax/views.py:



def vote(request):
try:
app_name = request.POST.get("app_name")
model_name = request.POST.get("model_name")
id = request.POST.get("id")
votedFor = True if request.POST.get("votedFor") == "true" else False
except ValueError:
return JsonResponse({"error": True})

model = apps.get_model(app_name, model_name)

if model is None or id is None:
return JsonResponse({"error": True})

try:
model._meta.get_field("votes")
except FieldDoesNotExist:
return JsonResponse({"error": True})

try:
usable_model = model.objects.get(id=id)
except model.DoesNotExist:
return JsonResponse({"error": True})

usable_model.vote.vote(request, votedFor)
return JsonResponse({"error": False})


vote/functions:



def vote(self, request, votedFor):
if request.user.is_authenticated:
if not UserVoted.objects.filter(User=request.user, Vote=self).exists():
UserVoted.objects.create(User=request.user, Vote=self, votedFor=votedFor)
self._like_or_dislike(votedFor)
return True
return False
ip = get_client_ip(request)
if ip:
if not UserVoted.objects.filter(ip=ip, Vote=self).exists():
UserVoted.objects.create(ip=ip, Vote=self, votedFor=votedFor)
self._like_or_dislike(votedFor)
return True
return False
return False

def _like_or_dislike(self, votedFor):
if votedFor is not None:
self.uservoted_set.objects.filter(id=self.id).update(votes=F('votes') + 1) if votedFor == True else self.objects.filter(id=self.id).update(votes=F('votes') - 1)
return True
return False


I already manipulated app_name and model_name and the server didnt crash but I dont know what a hacker can do. Can he crash my server when he manipulate these values? (maybe "ajax-injection" or something like this?)









share









$endgroup$

















    0












    $begingroup$


    I'm creating multiple django apps with vote possibilities. So I made an app vote to handle all this votes. In my templates I'm including an ajax-function named vote. To know on which model I'm liking I add app_name and model_name to the vote function (I made some templatetags to get these values). In my views.py I use model = apps.get_model(app_name, model_name) to get the model class. But now I'm worried a hacker could do something with the app_name and model_name values.



    Here are my files:



    vote/ajax.html (only function):



    function vote(bool){
    $.ajax({
    type: "post",
    timeout: 8000,
    url: '{% url 'ajax:vote' %}',
    dataType: 'json',
    data: {
    'csrfmiddlewaretoken': getCookie('csrftoken'),
    'model_name': "{{ model|get_model_name }}",
    'app_name': "{{ model|get_app_name }}",
    'voted': bool,
    'id': "{{ model.id }}",
    },
    success: function(data) {
    if (!data.error){
    if (bool){
    $(".half .fa-thumbs-up").removeClass("far").addClass("fas");
    $(".half #count").text(parseInt($(".half #count").text()) + 1);
    } else {
    $(".half .fa-thumbs-down").removeClass("far").addClass("fas");
    $(".half #count").text(parseInt($(".half #count").text()) - 1);
    }
    }
    }
    });
    }


    ajax/views.py:



    def vote(request):
    try:
    app_name = request.POST.get("app_name")
    model_name = request.POST.get("model_name")
    id = request.POST.get("id")
    votedFor = True if request.POST.get("votedFor") == "true" else False
    except ValueError:
    return JsonResponse({"error": True})

    model = apps.get_model(app_name, model_name)

    if model is None or id is None:
    return JsonResponse({"error": True})

    try:
    model._meta.get_field("votes")
    except FieldDoesNotExist:
    return JsonResponse({"error": True})

    try:
    usable_model = model.objects.get(id=id)
    except model.DoesNotExist:
    return JsonResponse({"error": True})

    usable_model.vote.vote(request, votedFor)
    return JsonResponse({"error": False})


    vote/functions:



    def vote(self, request, votedFor):
    if request.user.is_authenticated:
    if not UserVoted.objects.filter(User=request.user, Vote=self).exists():
    UserVoted.objects.create(User=request.user, Vote=self, votedFor=votedFor)
    self._like_or_dislike(votedFor)
    return True
    return False
    ip = get_client_ip(request)
    if ip:
    if not UserVoted.objects.filter(ip=ip, Vote=self).exists():
    UserVoted.objects.create(ip=ip, Vote=self, votedFor=votedFor)
    self._like_or_dislike(votedFor)
    return True
    return False
    return False

    def _like_or_dislike(self, votedFor):
    if votedFor is not None:
    self.uservoted_set.objects.filter(id=self.id).update(votes=F('votes') + 1) if votedFor == True else self.objects.filter(id=self.id).update(votes=F('votes') - 1)
    return True
    return False


    I already manipulated app_name and model_name and the server didnt crash but I dont know what a hacker can do. Can he crash my server when he manipulate these values? (maybe "ajax-injection" or something like this?)









    share









    $endgroup$















      0












      0








      0





      $begingroup$


      I'm creating multiple django apps with vote possibilities. So I made an app vote to handle all this votes. In my templates I'm including an ajax-function named vote. To know on which model I'm liking I add app_name and model_name to the vote function (I made some templatetags to get these values). In my views.py I use model = apps.get_model(app_name, model_name) to get the model class. But now I'm worried a hacker could do something with the app_name and model_name values.



      Here are my files:



      vote/ajax.html (only function):



      function vote(bool){
      $.ajax({
      type: "post",
      timeout: 8000,
      url: '{% url 'ajax:vote' %}',
      dataType: 'json',
      data: {
      'csrfmiddlewaretoken': getCookie('csrftoken'),
      'model_name': "{{ model|get_model_name }}",
      'app_name': "{{ model|get_app_name }}",
      'voted': bool,
      'id': "{{ model.id }}",
      },
      success: function(data) {
      if (!data.error){
      if (bool){
      $(".half .fa-thumbs-up").removeClass("far").addClass("fas");
      $(".half #count").text(parseInt($(".half #count").text()) + 1);
      } else {
      $(".half .fa-thumbs-down").removeClass("far").addClass("fas");
      $(".half #count").text(parseInt($(".half #count").text()) - 1);
      }
      }
      }
      });
      }


      ajax/views.py:



      def vote(request):
      try:
      app_name = request.POST.get("app_name")
      model_name = request.POST.get("model_name")
      id = request.POST.get("id")
      votedFor = True if request.POST.get("votedFor") == "true" else False
      except ValueError:
      return JsonResponse({"error": True})

      model = apps.get_model(app_name, model_name)

      if model is None or id is None:
      return JsonResponse({"error": True})

      try:
      model._meta.get_field("votes")
      except FieldDoesNotExist:
      return JsonResponse({"error": True})

      try:
      usable_model = model.objects.get(id=id)
      except model.DoesNotExist:
      return JsonResponse({"error": True})

      usable_model.vote.vote(request, votedFor)
      return JsonResponse({"error": False})


      vote/functions:



      def vote(self, request, votedFor):
      if request.user.is_authenticated:
      if not UserVoted.objects.filter(User=request.user, Vote=self).exists():
      UserVoted.objects.create(User=request.user, Vote=self, votedFor=votedFor)
      self._like_or_dislike(votedFor)
      return True
      return False
      ip = get_client_ip(request)
      if ip:
      if not UserVoted.objects.filter(ip=ip, Vote=self).exists():
      UserVoted.objects.create(ip=ip, Vote=self, votedFor=votedFor)
      self._like_or_dislike(votedFor)
      return True
      return False
      return False

      def _like_or_dislike(self, votedFor):
      if votedFor is not None:
      self.uservoted_set.objects.filter(id=self.id).update(votes=F('votes') + 1) if votedFor == True else self.objects.filter(id=self.id).update(votes=F('votes') - 1)
      return True
      return False


      I already manipulated app_name and model_name and the server didnt crash but I dont know what a hacker can do. Can he crash my server when he manipulate these values? (maybe "ajax-injection" or something like this?)









      share









      $endgroup$




      I'm creating multiple django apps with vote possibilities. So I made an app vote to handle all this votes. In my templates I'm including an ajax-function named vote. To know on which model I'm liking I add app_name and model_name to the vote function (I made some templatetags to get these values). In my views.py I use model = apps.get_model(app_name, model_name) to get the model class. But now I'm worried a hacker could do something with the app_name and model_name values.



      Here are my files:



      vote/ajax.html (only function):



      function vote(bool){
      $.ajax({
      type: "post",
      timeout: 8000,
      url: '{% url 'ajax:vote' %}',
      dataType: 'json',
      data: {
      'csrfmiddlewaretoken': getCookie('csrftoken'),
      'model_name': "{{ model|get_model_name }}",
      'app_name': "{{ model|get_app_name }}",
      'voted': bool,
      'id': "{{ model.id }}",
      },
      success: function(data) {
      if (!data.error){
      if (bool){
      $(".half .fa-thumbs-up").removeClass("far").addClass("fas");
      $(".half #count").text(parseInt($(".half #count").text()) + 1);
      } else {
      $(".half .fa-thumbs-down").removeClass("far").addClass("fas");
      $(".half #count").text(parseInt($(".half #count").text()) - 1);
      }
      }
      }
      });
      }


      ajax/views.py:



      def vote(request):
      try:
      app_name = request.POST.get("app_name")
      model_name = request.POST.get("model_name")
      id = request.POST.get("id")
      votedFor = True if request.POST.get("votedFor") == "true" else False
      except ValueError:
      return JsonResponse({"error": True})

      model = apps.get_model(app_name, model_name)

      if model is None or id is None:
      return JsonResponse({"error": True})

      try:
      model._meta.get_field("votes")
      except FieldDoesNotExist:
      return JsonResponse({"error": True})

      try:
      usable_model = model.objects.get(id=id)
      except model.DoesNotExist:
      return JsonResponse({"error": True})

      usable_model.vote.vote(request, votedFor)
      return JsonResponse({"error": False})


      vote/functions:



      def vote(self, request, votedFor):
      if request.user.is_authenticated:
      if not UserVoted.objects.filter(User=request.user, Vote=self).exists():
      UserVoted.objects.create(User=request.user, Vote=self, votedFor=votedFor)
      self._like_or_dislike(votedFor)
      return True
      return False
      ip = get_client_ip(request)
      if ip:
      if not UserVoted.objects.filter(ip=ip, Vote=self).exists():
      UserVoted.objects.create(ip=ip, Vote=self, votedFor=votedFor)
      self._like_or_dislike(votedFor)
      return True
      return False
      return False

      def _like_or_dislike(self, votedFor):
      if votedFor is not None:
      self.uservoted_set.objects.filter(id=self.id).update(votes=F('votes') + 1) if votedFor == True else self.objects.filter(id=self.id).update(votes=F('votes') - 1)
      return True
      return False


      I already manipulated app_name and model_name and the server didnt crash but I dont know what a hacker can do. Can he crash my server when he manipulate these values? (maybe "ajax-injection" or something like this?)







      python javascript jquery html django





      share












      share










      share



      share










      asked 6 mins ago









      Myzel394Myzel394

      315




      315






















          0






          active

          oldest

          votes











          Your Answer





          StackExchange.ifUsing("editor", function () {
          return StackExchange.using("mathjaxEditing", function () {
          StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
          StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
          });
          });
          }, "mathjax-editing");

          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "196"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f212021%2fpython-django-class-based-saving-worried-about-security%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Code Review Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          Use MathJax to format equations. MathJax reference.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f212021%2fpython-django-class-based-saving-worried-about-security%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          404 Error Contact Form 7 ajax form submitting

          How to know if a Active Directory user can login interactively

          TypeError: fit_transform() missing 1 required positional argument: 'X'