Merge pull request jfinkels#343 from goodscloud/jsonify-security-fixe…

…s-280 don't return SQL to the user when there is an IntegrityError, DataError, or ProgrammingError
mmarquar · Aug 5, 2014 · 680fd0f · 680fd0f
2 parents 83402f3 + a61697a
commit 680fd0f
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/flask_restless/views.py b/flask_restless/views.py
@@ -1247,7 +1247,7 @@ def post(self):
         except (DataError, IntegrityError, ProgrammingError) as exception:
             self.session.rollback()
             current_app.logger.exception(str(exception))
-            return dict(message=str(exception)), 400
+            return dict(message=type(exception).__name__), 400
 
     def patch(self, instid, relationname, relationinstid):
         """Updates the instance specified by ``instid`` of the named model, or
@@ -1359,7 +1359,7 @@ def patch(self, instid, relationname, relationinstid):
             return self._handle_validation_exception(exception)
         except (DataError, IntegrityError, ProgrammingError) as exception:
             current_app.logger.exception(str(exception))
-            return dict(message=str(exception)), 400
+            return dict(message=type(exception).__name__), 400
 
         # Perform any necessary postprocessing.
         if patchmany:

diff --git a/tests/test_views.py b/tests/test_views.py
@@ -339,6 +339,7 @@ def test_post(self):
         response = self.app.post('/api/person',
                                  data=dumps({'name': u'George', 'age': 23}))
         assert response.status_code == 400
+        assert json.loads(response.data)['message'] == 'IntegrityError'
 
         # For issue #158 we make sure that the previous failure is rolled back
         # so that we can add valid entries again
@@ -664,6 +665,17 @@ def test_patch_remove_m2m(self):
         assert vim_relation not in computer['programs']
         assert emacs_relation in computer['programs']
 
+    def test_patch_integrity_error(self):
+        self.session.add(self.Person(name=u"Waldorf", age=89))
+        self.session.add(self.Person(name=u"Statler", age=91))
+        self.session.commit()
+
+        # This errors as expected
+        response = self.app.patch('/api/person/1',
+                                 data=dumps({'name': u'Statler'}))
+        assert response.status_code == 400
+        assert json.loads(response.data)['message'] == 'IntegrityError'
+
     def test_delete(self):
         """Test for deleting an instance of the database using the
         :http:method:`delete` method.