Prevent unauthorized access to views

jdufresne · jdufresne · commit 68c4410f01cb · 2017-03-26T17:04:40.000-07:00
All views in debug_toolbar are now decorated with the new debug_toolbar.decorators.require_show_toolbar. This prevents access when the function defined by SHOW_TOOLBAR_CALLBACK returns False. For example, when a request originated form outside INTERNAL_IPS. Fixes #834
diff --git a/debug_toolbar/decorators.py b/debug_toolbar/decorators.py
@@ -0,0 +1,16 @@
+import functools
+
+from django.http import Http404
+
+from debug_toolbar.middleware import get_show_toolbar
+
+
+def require_show_toolbar(view):
+    @functools.wraps(view)
+    def inner(request, *args, **kwargs):
+        show_toolbar = get_show_toolbar()
+        if not show_toolbar(request):
+            raise Http404
+
+        return view(request, *args, **kwargs)
+    return inner
diff --git a/debug_toolbar/middleware.py b/debug_toolbar/middleware.py
@@ -10,7 +10,7 @@
 from django.conf import settings
 from django.utils import six
 from django.utils.encoding import force_text
-from django.utils.functional import cached_property
+from django.utils.lru_cache import lru_cache
 from django.utils.module_loading import import_string
 
 from debug_toolbar import settings as dt_settings
@@ -33,32 +33,35 @@ def show_toolbar(request):
     if request.META.get('REMOTE_ADDR', None) not in settings.INTERNAL_IPS:
         return False
 
-    if request.is_ajax():
-        return False
-
     return bool(settings.DEBUG)
 
 
+@lru_cache()
+def get_show_toolbar():
+    # If SHOW_TOOLBAR_CALLBACK is a string, which is the recommended
+    # setup, resolve it to the corresponding callable.
+    func_or_path = dt_settings.get_config()['SHOW_TOOLBAR_CALLBACK']
+    if isinstance(func_or_path, six.string_types):
+        return import_string(func_or_path)
+    else:
+        return func_or_path
+
+
 class DebugToolbarMiddleware(MiddlewareMixin):
     """
     Middleware to set up Debug Toolbar on incoming request and render toolbar
     on outgoing response.
     """
     debug_toolbars = {}
 
-    @cached_property
-    def show_toolbar(self):
-        # If SHOW_TOOLBAR_CALLBACK is a string, which is the recommended
-        # setup, resolve it to the corresponding callable.
-        func_or_path = dt_settings.get_config()['SHOW_TOOLBAR_CALLBACK']
-        if isinstance(func_or_path, six.string_types):
-            return import_string(func_or_path)
-        else:
-            return func_or_path
-
     def process_request(self, request):
         # Decide whether the toolbar is active for this request.
-        if not self.show_toolbar(request):
+        show_toolbar = get_show_toolbar()
+        if not show_toolbar(request):
+            return
+
+        # Don't render the toolbar during AJAX requests.
+        if request.is_ajax():
             return
 
         toolbar = DebugToolbar(request)
diff --git a/debug_toolbar/panels/sql/views.py b/debug_toolbar/panels/sql/views.py
@@ -4,10 +4,12 @@
 from django.shortcuts import render_to_response
 from django.views.decorators.csrf import csrf_exempt
 
+from debug_toolbar.decorators import require_show_toolbar
 from debug_toolbar.panels.sql.forms import SQLSelectForm
 
 
 @csrf_exempt
+@require_show_toolbar
 def sql_select(request):
     """Returns the output of the SQL SELECT statement"""
     form = SQLSelectForm(request.POST or None)
@@ -33,6 +35,7 @@ def sql_select(request):
 
 
 @csrf_exempt
+@require_show_toolbar
 def sql_explain(request):
     """Returns the output of the SQL EXPLAIN on the given query"""
     form = SQLSelectForm(request.POST or None)
@@ -69,6 +72,7 @@ def sql_explain(request):
 
 
 @csrf_exempt
+@require_show_toolbar
 def sql_profile(request):
     """Returns the output of running the SQL and getting the profiling statistics"""
     form = SQLSelectForm(request.POST or None)
diff --git a/debug_toolbar/panels/templates/views.py b/debug_toolbar/panels/templates/views.py
@@ -6,12 +6,15 @@
 from django.template.engine import Engine
 from django.utils.safestring import mark_safe
 
+from debug_toolbar.decorators import require_show_toolbar
+
 try:
     from django.template import Origin
 except ImportError:
     Origin = None
 
 
+@require_show_toolbar
 def template_source(request):
     """
     Return the source of a template, syntax-highlighted by Pygments if
diff --git a/debug_toolbar/views.py b/debug_toolbar/views.py
@@ -4,9 +4,11 @@
 from django.utils.html import escape
 from django.utils.translation import ugettext as _
 
+from debug_toolbar.decorators import require_show_toolbar
 from debug_toolbar.toolbar import DebugToolbar
 
 
+@require_show_toolbar
 def render_panel(request):
     """Render the contents of a panel"""
     toolbar = DebugToolbar.fetch(request.GET['store_id'])
diff --git a/docs/changes.rst b/docs/changes.rst
@@ -4,6 +4,20 @@ Change log
 1.8 (upcoming)
 --------------
 
+Features
+~~~~~~~~
+
+* New decorator ``debug_toolbar.decorators.require_show_toolbar`` prevents
+  unauthorized access to decorated views by checking ``SHOW_TOOLBAR_CALLBACK``
+  every request. Unauthorized access results in a 404.
+
+Bugfixes
+~~~~~~~~
+
+* All views are now decorated with
+  ``debug_toolbar.decorators.require_show_toolbar`` preventing unauthorized
+  access.
+
 1.7
 ---
 
diff --git a/docs/panels.rst b/docs/panels.rst
@@ -309,8 +309,9 @@ Third-party panels must subclass :class:`~debug_toolbar.panels.Panel`,
 according to the public API described below. Unless noted otherwise, all
 methods are optional.
 
-Panels can ship their own templates, static files and views. There is no public
-CSS API at this time.
+Panels can ship their own templates, static files and views. All views should
+be decorated with ``debug_toolbar.decorators.require_show_toolbar`` to prevent
+unauthorized access. There is no public CSS API at this time.
 
 .. autoclass:: debug_toolbar.panels.Panel(*args, **kwargs)
 
diff --git a/tests/test_integration.py b/tests/test_integration.py
@@ -9,10 +9,12 @@
 import django
 from django.contrib.staticfiles.testing import StaticLiveServerTestCase
 from django.core.checks import Error, run_checks
+from django.template.loader import get_template
 from django.test import RequestFactory, TestCase
 from django.test.utils import override_settings
 
 from debug_toolbar.middleware import DebugToolbarMiddleware, show_toolbar
+from debug_toolbar.toolbar import DebugToolbar
 
 from .base import BaseTestCase
 from .views import regular_view
@@ -120,6 +122,103 @@ def test_xml_validation(self):
         response = self.client.get('/regular/XML/')
         ET.fromstring(response.content)     # shouldn't raise ParseError
 
+    def test_render_panel_checks_show_toolbar(self):
+        toolbar = DebugToolbar(None)
+        toolbar.store()
+        url = '/__debug__/render_panel/'
+        data = {'store_id': toolbar.store_id, 'panel_id': 'VersionsPanel'}
+
+        response = self.client.get(url, data)
+        self.assertEqual(response.status_code, 200)
+        response = self.client.get(url, data, HTTP_X_REQUESTED_WITH='XMLHttpRequest')
+        self.assertEqual(response.status_code, 200)
+        with self.settings(INTERNAL_IPS=[]):
+            response = self.client.get(url, data)
+            self.assertEqual(response.status_code, 404)
+            response = self.client.get(url, data, HTTP_X_REQUESTED_WITH='XMLHttpRequest')
+            self.assertEqual(response.status_code, 404)
+
+    def test_template_source_checks_show_toolbar(self):
+        template = get_template('basic.html')
+        url = '/__debug__/template_source/'
+        data = {
+            'template': template.template.name,
+            'template_origin': template.template.origin.name
+        }
+
+        response = self.client.get(url, data)
+        self.assertEqual(response.status_code, 200)
+        response = self.client.get(url, data, HTTP_X_REQUESTED_WITH='XMLHttpRequest')
+        self.assertEqual(response.status_code, 200)
+        with self.settings(INTERNAL_IPS=[]):
+            response = self.client.get(url, data)
+            self.assertEqual(response.status_code, 404)
+            response = self.client.get(url, data, HTTP_X_REQUESTED_WITH='XMLHttpRequest')
+            self.assertEqual(response.status_code, 404)
+
+    def test_sql_select_checks_show_toolbar(self):
+        url = '/__debug__/sql_select/'
+        data = {
+            'sql': 'SELECT * FROM auth_user',
+            'raw_sql': 'SELECT * FROM auth_user',
+            'params': '{}',
+            'alias': 'default',
+            'duration': '0',
+            'hash': '6e12daa636b8c9a8be993307135458f90a877606',
+        }
+
+        response = self.client.post(url, data)
+        self.assertEqual(response.status_code, 200)
+        response = self.client.post(url, data, HTTP_X_REQUESTED_WITH='XMLHttpRequest')
+        self.assertEqual(response.status_code, 200)
+        with self.settings(INTERNAL_IPS=[]):
+            response = self.client.post(url, data)
+            self.assertEqual(response.status_code, 404)
+            response = self.client.post(url, data, HTTP_X_REQUESTED_WITH='XMLHttpRequest')
+            self.assertEqual(response.status_code, 404)
+
+    def test_sql_explain_checks_show_toolbar(self):
+        url = '/__debug__/sql_explain/'
+        data = {
+            'sql': 'SELECT * FROM auth_user',
+            'raw_sql': 'SELECT * FROM auth_user',
+            'params': '{}',
+            'alias': 'default',
+            'duration': '0',
+            'hash': '6e12daa636b8c9a8be993307135458f90a877606',
+        }
+
+        response = self.client.post(url, data)
+        self.assertEqual(response.status_code, 200)
+        response = self.client.post(url, data, HTTP_X_REQUESTED_WITH='XMLHttpRequest')
+        self.assertEqual(response.status_code, 200)
+        with self.settings(INTERNAL_IPS=[]):
+            response = self.client.post(url, data)
+            self.assertEqual(response.status_code, 404)
+            response = self.client.post(url, data, HTTP_X_REQUESTED_WITH='XMLHttpRequest')
+            self.assertEqual(response.status_code, 404)
+
+    def test_sql_profile_checks_show_toolbar(self):
+        url = '/__debug__/sql_profile/'
+        data = {
+            'sql': 'SELECT * FROM auth_user',
+            'raw_sql': 'SELECT * FROM auth_user',
+            'params': '{}',
+            'alias': 'default',
+            'duration': '0',
+            'hash': '6e12daa636b8c9a8be993307135458f90a877606',
+        }
+
+        response = self.client.post(url, data)
+        self.assertEqual(response.status_code, 200)
+        response = self.client.post(url, data, HTTP_X_REQUESTED_WITH='XMLHttpRequest')
+        self.assertEqual(response.status_code, 200)
+        with self.settings(INTERNAL_IPS=[]):
+            response = self.client.post(url, data)
+            self.assertEqual(response.status_code, 404)
+            response = self.client.post(url, data, HTTP_X_REQUESTED_WITH='XMLHttpRequest')
+            self.assertEqual(response.status_code, 404)
+
 
 @unittest.skipIf(webdriver is None, "selenium isn't installed")
 @unittest.skipUnless('DJANGO_SELENIUM_TESTS' in os.environ, "selenium tests not requested")
