Merge remote-tracking branch 'origin/v3.6'

2025-02-03 13:47:14 +03:00 · 2023-03-30 15:31:15 +02:00 · 2023-03-30 15:31:15 +02:00 · 3ba4ed5f7d
commit 3ba4ed5f7d
parent e9e8555f51
9 changed files with 21 additions and 67 deletions
--- a/server/src/tests/middleware/test_redirect.py
+++ b/server/src/tests/middleware/test_redirect.py
@ -35,7 +35,6 @@ from django.urls import reverse

 from uds.core.util import config
 from uds.core.managers.crypto import CryptoManager
-from uds.middleware.redirect import _NO_REDIRECT

 from ..utils import test

@ -49,7 +48,6 @@ class RedirectMiddlewareTest(test.UDSTransactionTestCase):
    """
    def test_redirect(self):
        RedirectMiddlewareTest.add_middleware('uds.middleware.redirect.RedirectMiddleware')
-        config.GlobalConfig.REDIRECT_TO_HTTPS.set(True)
        response = self.client.get('/', secure=False)
        self.assertEqual(response.status_code, 302)
        self.assertEqual(response.url, 'https://testserver/')
@ -66,17 +64,3 @@ class RedirectMiddlewareTest(test.UDSTransactionTestCase):
            self.assertEqual(response.url, f'https://testserver{url}')
            response = self.client.get(url, secure=True)
            self.assertEqual(response.status_code, 404) # Not found
-
-        # These urls will never redirect:
-        for url in _NO_REDIRECT:
-            # Append some random string to avoid cache and make a 404 occur
-            url = f'/{url}{("/" + CryptoManager().randomString(32)) if "test" not in url else ""}'
-            response = self.client.get(url, secure=False)
-            # every url will return 404, except /uds/rest/client/test that will return 200 and wyse or servlet that will return 302
-            if url.startswith('/uds/rest/client/test'):
-                self.assertEqual(response.status_code, 200)
-            elif url.startswith('/wyse') or url.startswith('/servlet'):
-                self.assertEqual(response.status_code, 302)
-            else:
-                self.assertEqual(response.status_code, 404)
-
--- a/server/src/tests/middleware/test_security.py
+++ b/server/src/tests/middleware/test_security.py
@ -33,7 +33,6 @@ import logging
 from django.urls import reverse

 from uds.core.util import config
-from uds.middleware.redirect import _NO_REDIRECT

 from ..utils import test

--- a/server/src/uds/core/util/auto_attributes.py
+++ b/server/src/uds/core/util/auto_attributes.py
@ -31,7 +31,7 @@
@author: Adolfo Gómez, dkmaster at dkmon dot com
 """
 import codecs
-import pickle
+import pickle  # nosec: This is fine, we are not loading untrusted data
 import logging
 import typing

@ -105,7 +105,7 @@ class AutoAttributes(Serializable):
            return
        # We keep original data (maybe incomplete)
        if data[:2] == b'v1':
-            self.attrs = pickle.loads(data[2:])
+            self.attrs = pickle.loads(data[2:])  # nosec: pickle is used to load data from trusted source
            return
        # We try to load as v0
        try:
@ -117,9 +117,9 @@ class AutoAttributes(Serializable):
            k, v = pair.split(b'\1')
            # logger.debug('k: %s  ---   v: %s', k, v)
            try:
-                self.attrs[k.decode()] = pickle.loads(v)
+                self.attrs[k.decode()] = pickle.loads(v)  # nosec: pickle is used to load data from trusted source
            except Exception:  # Old encoding on python2, set encoding for loading
-                self.attrs[k.decode()] = pickle.loads(v, encoding='utf8')
+                self.attrs[k.decode()] = pickle.loads(v, encoding='utf8')  # nosec: pickle is used to load data from trusted source

    def __repr__(self) -> str:
        return (
--- a/server/src/uds/core/util/certs.py
+++ b/server/src/uds/core/util/certs.py
@ -60,7 +60,7 @@ def createSslContext(verify: bool = True) -> ssl.SSLContext:
        sslContext = ssl.create_default_context(cafile=certifi.where())
    else:
        sslContext = (
-            ssl._create_unverified_context()
+            ssl._create_unverified_context()  # nosec: we are creating a context required to be insecure
        )  # pylint: disable=protected-access

    return sslContext
--- a/server/src/uds/core/util/config.py
+++ b/server/src/uds/core/util/config.py
@ -148,9 +148,7 @@ class Config:
                        section=self._section.name(), key=self._key
                    )
                    self._data = readed.value
-                    self._crypt = [self._crypt, True][
-                        readed.crypt
-                    ]  # True has "higher" precedende than False
+                    self._crypt = readed.crypt or self._crypt
                    self._longText = readed.long
                    if self._type != -1 and self._type != readed.field_type:
                        readed.field_type = self._type
@ -507,7 +505,7 @@ class GlobalConfig:
    # Redirect HTTP to HTTPS
    REDIRECT_TO_HTTPS: Config.Value = Config.section(GLOBAL_SECTION).value(
        'redirectToHttps',
-        '0',
+        '1',
        type=Config.FieldType.BOOLEAN,
        help=_('Redirect HTTP to HTTPS on connection to UDS'),
    )
--- a/server/src/uds/core/util/hash.py
+++ b/server/src/uds/core/util/hash.py
@ -32,6 +32,8 @@
 """
 import typing

+hasher: typing.Any
+
 try:
    # Try to use fast hashlib (if available)
    import xxhash
--- a/server/src/uds/core/util/state_queue.py
+++ b/server/src/uds/core/util/state_queue.py
@ -84,5 +84,5 @@ class StateQueue:
    def remove(self, state: typing.Any):
        try:
            self._queue.remove(state)
-        except Exception:
+        except Exception:  # nosec: Fine to ignore exception here
            pass  # If state not in queue, nothing happens
--- a/server/src/uds/core/util/xml2dict.py
+++ b/server/src/uds/core/util/xml2dict.py
@ -32,10 +32,10 @@
 import typing

 from collections import defaultdict
-from xml.etree import cElementTree
+import defusedxml.ElementTree as ET

 if typing.TYPE_CHECKING:
-    from xml.etree.cElementTree import Element
+    from xml.etree.cElementTree import Element  # nosec: Only type checking


 def etree_to_dict(t: 'Element') -> typing.Mapping[str, typing.Any]:
@ -63,4 +63,4 @@ def etree_to_dict(t: 'Element') -> typing.Mapping[str, typing.Any]:


 def parse(xml_string: str) -> typing.Mapping[str, typing.Any]:
-    return etree_to_dict(cElementTree.XML(xml_string))
+    return etree_to_dict(ET.XML(xml_string))
--- a/server/src/uds/middleware/redirect.py
+++ b/server/src/uds/middleware/redirect.py
@ -44,46 +44,17 @@ logger = logging.getLogger(__name__)
 if typing.TYPE_CHECKING:
    from django.http import HttpRequest, HttpResponse

-
-_NO_REDIRECT: typing.List[str] = [
-    'rest',
-    'pam',
-    'guacamole',
-    # For new paths
-    # 'uds/rest',  # REST must be HTTPS if redirect is enabled
-    'uds/pam',
-    'uds/guacamole',
-    # Test client can be http
-    'uds/rest/client/test',
-    # And also the tunnel
-    'uds/rest/tunnel',
-]
-
-
-def registerNoRedirectURL(path: str) -> None:
-    _NO_REDIRECT.append(path)
-
-
 def _check_redirectable(request: 'HttpRequest') -> typing.Optional['HttpResponse']:
-    if GlobalConfig.REDIRECT_TO_HTTPS.getBool() is False or request.is_secure():
-        return None
+    if request.is_secure():
+       return None

-    full_path = request.get_full_path()
-    redirect = True
-    for nr in _NO_REDIRECT:
-        if full_path.startswith('/' + nr):
-            redirect = False
-            break
+    if request.method == 'POST':  # No post redirects
+        url = reverse('page.login')
+    else:
+        url = request.build_absolute_uri(request.get_full_path())
+    url = url.replace('http://', 'https://')

-    if redirect:
-        if request.method == 'POST':
-            url = reverse('page.login')
-        else:
-            url = request.build_absolute_uri(full_path)
-        url = url.replace('http://', 'https://')
-
-        return HttpResponseRedirect(url)
-    return None
+    return HttpResponseRedirect(url)


 # Compatibility with old middleware, so we can use it in settings.py as it was