From 53f530c0afbae06683f32d9d624607cba66a89b7 Mon Sep 17 00:00:00 2001 From: lpm0073 Date: Wed, 5 Oct 2022 19:47:46 -0500 Subject: [PATCH] only do dict comparisons if not tainted --- wp_oauth_backend/wp_oauth.py | 53 ++++++++++++++++++------------------ 1 file changed, 27 insertions(+), 26 deletions(-) diff --git a/wp_oauth_backend/wp_oauth.py b/wp_oauth_backend/wp_oauth.py index dbb093b..c7de3b8 100644 --- a/wp_oauth_backend/wp_oauth.py +++ b/wp_oauth_backend/wp_oauth.py @@ -152,34 +152,35 @@ class StepwiseMathWPOAuth2(BaseOAuth2): )) tainted = True - # a def in the third_party_auth pipeline list calls get_user_details() after its already - # been called once. i don't know why. but, it passes the original get_user_details() dict - # enhanced with additional token-related keys. if we receive this modified dict then we - # should pass it along to the next defs in the pipeline. - # - # If most of the original keys (see dict definition below) exist in the response object - # then we can assume that this is our case. - qc_keys = ['id', 'date_joined', 'email', 'first_name', 'fullname', 'is_staff', 'is_superuser', 'last_name', 'username'] - if all(key in response for key in qc_keys): - if VERBOSE_LOGGING: - logger.info('get_user_details() - detected an enhanced get_user_details() dict in the response: {response}'.format( - response=json.dumps(response, sort_keys=True, indent=4) - )) - return response + if not tainted: + # a def in the third_party_auth pipeline list calls get_user_details() after its already + # been called once. i don't know why. but, it passes the original get_user_details() dict + # enhanced with additional token-related keys. if we receive this modified dict then we + # should pass it along to the next defs in the pipeline. + # + # If most of the original keys (see dict definition below) exist in the response object + # then we can assume that this is our case. + qc_keys = ['id', 'date_joined', 'email', 'first_name', 'fullname', 'is_staff', 'is_superuser', 'last_name', 'username'] + if all(key in response for key in qc_keys): + if VERBOSE_LOGGING: + logger.info('get_user_details() - detected an enhanced get_user_details() dict in the response: {response}'.format( + response=json.dumps(response, sort_keys=True, indent=4) + )) + return response - # otherwise we pobably received the default response from the oauth provider based on - # the scopes 'basic' 'email' 'profile'. We'll check a few of the most important keys to see - # if they exist. - if ('ID' not in response.keys()) or ('user_email' not in response.keys()) or ('user_login' not in response.keys()): - logger.warning('get_user_details() - response object is missing one or more required keys: {response}'.format( - response=json.dumps(response, sort_keys=True, indent=4) - )) - tainted = True - else: - if VERBOSE_LOGGING: - logger.info('get_user_details() - start. response: {response}'.format( + # otherwise we pobably received the default response from the oauth provider based on + # the scopes 'basic' 'email' 'profile'. We'll check a few of the most important keys to see + # if they exist. + if ('ID' not in response.keys()) or ('user_email' not in response.keys()) or ('user_login' not in response.keys()): + logger.warning('get_user_details() - response object is missing one or more required keys: {response}'.format( response=json.dumps(response, sort_keys=True, indent=4) - )) + )) + tainted = True + else: + if VERBOSE_LOGGING: + logger.info('get_user_details() - start. response: {response}'.format( + response=json.dumps(response, sort_keys=True, indent=4) + )) if tainted and self.user_details: logger.warning('get_user_details() - returning cached results. user_details: {user_details}'.format(