Do not list related field choices in OPTIONS requests. by charettes · Pull Request #4021 · encode/django-rest-framework

charettes · 2016-03-29T17:26:42Z

Listing related fields can leak sensitive data and result in poor performance
when dealing with large result sets.

Large result sets should be exposed by a dedicated endpoint instead.

…tadata. Listing related fields can leak sensitive data and result in poor performance when dealing with large result sets. Large result sets should be exposed by a dedicated endpoint instead.

xordoquy · 2016-03-29T18:12:42Z

I'm tempted to move this through the deprecation path.
The alternative would be to consider this a security improvement and go through in which case I'd probably add an option to turn this off and keep compatibility.

charettes · 2016-03-29T18:14:49Z

I have deprecation path in mind, I'll submit it in a few moment.

xordoquy · 2016-03-29T20:16:04Z

Thanks !

lovelydinosaur · 2016-03-30T20:57:51Z

I'd probably be okay with us simply dropping this in a median version, so long as we call it out.
We don't have any strict contract around what to expect from OPTIONS responses, so...

craigds · 2016-04-22T00:32:11Z

Could this be merged? This fixes #3751 which is a security (and major performance) issue so seems important to get it in.

lovelydinosaur · 2016-06-01T15:33:23Z

Great stuff, thank you!

silviogutierrez · 2016-06-08T16:06:48Z

Hey guys,

Fantastic library and great work overall. For those that actually do use this feature, will there be an opt-in workaround[1]? I looked at the merge commit and it seems like a blanket check for all related fields.

It's pretty convenient to build a form off a single OPTIONS request.

Thanks for all your work,

Silvio

[1]: Mandatory: https://xkcd.com/1172/

lovelydinosaur · 2016-06-08T16:12:16Z

You'd need to use a custom metadata class, overriding get_field_info so that you have the 3.3.x behavior, not the 3.4.x behavior. We should include that in the release notes.

wimglenn · 2016-09-12T23:08:02Z

Related example of overriding get_field_info: http://stackoverflow.com/q/35564784/674039

charettes changed the title ~~Fixed #3751 -- Stopped listing all related field choices through metadata.~~ Fixed #3751 -- Stopped listing related field choices through metadata. Mar 29, 2016

Fixed encode#3751 -- Stopped listing related field choices through me…

a6732e2

…tadata. Listing related fields can leak sensitive data and result in poor performance when dealing with large result sets. Large result sets should be exposed by a dedicated endpoint instead.

charettes force-pushed the related-field-choices-metadata branch from 69c69b8 to a6732e2 Compare March 29, 2016 17:29

xordoquy added the Enhancement label Mar 29, 2016

xordoquy added this to the 3.4.0 Release milestone Mar 29, 2016

charettes mentioned this pull request Mar 30, 2016

Allowed Field to specify their own metadata. #4022

Closed

lovelydinosaur merged commit 014e24b into encode:master Jun 1, 2016

lovelydinosaur changed the title ~~Fixed #3751 -- Stopped listing related field choices through metadata.~~ Do not list related field choices in OPTIONS requests. Jun 1, 2016

lovelydinosaur mentioned this pull request Jun 1, 2016

OPTIONS fetches and shows all possible foreign keys in choices field #3751

Closed

charettes deleted the related-field-choices-metadata branch June 1, 2016 15:46

ansumanbebarta mentioned this pull request Jun 14, 2016

Choice values are always represented as strings. #4111

Closed

pyup-bot mentioned this pull request Oct 22, 2016

Pin djangorestframework to latest version 3.5.1 wooyek/django-website-pro#16

Merged

pyup-bot mentioned this pull request Oct 30, 2016

Pin djangorestframework to latest version 3.5.1 Cyberbyte-Software/Sensor-Portal#49

Merged

pyup-bot mentioned this pull request Feb 26, 2017

Pin djangorestframework to latest version 3.5.4 maidstone-hackspace/maidstone-hackspace-website#39

Merged

This was referenced Mar 9, 2017

Pin djangorestframework to latest version 3.6.0 getpatchwork/patchwork#87

Closed

Pin djangorestframework to latest version 3.6.1 getpatchwork/patchwork#88

Closed

Pin djangorestframework to latest version 3.6.2 getpatchwork/patchwork#89

Closed

sliverc mentioned this pull request Sep 17, 2019

How to include choices for ResourceRelatedField? django-json-api/django-rest-framework-json-api#701

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Do not list related field choices in OPTIONS requests.#4021

Do not list related field choices in OPTIONS requests.#4021
lovelydinosaur merged 1 commit intoencode:masterfrom
charettes:related-field-choices-metadata

charettes commented Mar 29, 2016

Uh oh!

xordoquy commented Mar 29, 2016

Uh oh!

charettes commented Mar 29, 2016

Uh oh!

xordoquy commented Mar 29, 2016

Uh oh!

lovelydinosaur commented Mar 30, 2016

Uh oh!

craigds commented Apr 22, 2016

Uh oh!

lovelydinosaur commented Jun 1, 2016

Uh oh!

silviogutierrez commented Jun 8, 2016

Uh oh!

lovelydinosaur commented Jun 8, 2016

Uh oh!

wimglenn commented Sep 12, 2016

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Uh oh!

Conversation

charettes commented Mar 29, 2016

Uh oh!

xordoquy commented Mar 29, 2016

Uh oh!

charettes commented Mar 29, 2016

Uh oh!

xordoquy commented Mar 29, 2016

Uh oh!

lovelydinosaur commented Mar 30, 2016

Uh oh!

craigds commented Apr 22, 2016

Uh oh!

lovelydinosaur commented Jun 1, 2016

Uh oh!

silviogutierrez commented Jun 8, 2016

Uh oh!

lovelydinosaur commented Jun 8, 2016

Uh oh!

wimglenn commented Sep 12, 2016

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants