concrexit issueshttps://gitlab.science.ru.nl/thalia/concrexit/-/issues2019-04-24T21:25:11+02:00https://gitlab.science.ru.nl/thalia/concrexit/-/issues/864Update Poetry.lock and check urllib3 version2019-04-24T21:25:11+02:00Sébastiaan VersteegUpdate Poetry.lock and check urllib3 version### One-sentence description
Update Poetry.lock and check urllib3 version
### Why?
https://nvd.nist.gov/vuln/detail/CVE-2019-11324
If you want to know why this is so important, we really only use requests (which uses urllib3) in one p...### One-sentence description
Update Poetry.lock and check urllib3 version
### Why?
https://nvd.nist.gov/vuln/detail/CVE-2019-11324
If you want to know why this is so important, we really only use requests (which uses urllib3) in one place: Conscribo sync.24https://gitlab.science.ru.nl/thalia/concrexit/-/issues/783Always set rel="noopener" with target="_blank" for external domains2018-12-16T16:06:32+01:00Joren VranckenAlways set rel="noopener" with target="_blank" for external domains### One-sentence description
<!-- What breaks -->
Always set `rel="noopener"` with `target = "_blank"` for external domains.
### Why
<!-- Please write what is happening and how we could reproduce it, if relevant -->
<!--
1. Step 1
2...### One-sentence description
<!-- What breaks -->
Always set `rel="noopener"` with `target = "_blank"` for external domains.
### Why
<!-- Please write what is happening and how we could reproduce it, if relevant -->
<!--
1. Step 1
2. Step 2
3. ???
4. Breakage
-->
Using `target="_blank"` without `rel="noopener"` for external domains is a security vulnerability.
* [source](https://www.tutorialdocs.com/article/html-opener-blank.html)
* [source](https://developers.google.com/web/tools/lighthouse/audits/noopener)
### Expected behaviour
<!-- Please write how what happened did not meet your expectations -->
`a` tags containing `target="_blank"` should also contain `rel="noopener noreferrer nofollow"`.21https://gitlab.science.ru.nl/thalia/concrexit/-/issues/534Hide Authorization parameter from debug output2017-12-10T21:18:46+01:00Thom WiggersHide Authorization parameter from debug output### One-sentence description
We need to hide this HTTP var in debug output
### Desired behaviour
Not show it in debug output.
### Suggested solution:
Implement a SafeExceptionReporterFilter subclass and include 'Authorization' in the ...### One-sentence description
We need to hide this HTTP var in debug output
### Desired behaviour
Not show it in debug output.
### Suggested solution:
Implement a SafeExceptionReporterFilter subclass and include 'Authorization' in the sensitive list.
https://docs.djangoproject.com/en/1.11/howto/error-reporting/#filtering-error-reports
https://docs.djangoproject.com/en/1.11/_modules/django/views/debug/#SafeExceptionReporterFilter.get_traceback_frame_variables
First check if we can get SafeExceptionReporterFilter to play ball.Thom WiggersThom Wiggershttps://gitlab.science.ru.nl/thalia/concrexit/-/issues/458API information leakage2017-12-10T21:12:55+01:00Joren VranckenAPI information leakage### One-sentence description
Some private information is leaked from the database through the API.
### Why?
When the ThaliApp requests events information from the website, private information is revealed.
For example, the registra...### One-sentence description
Some private information is leaked from the database through the API.
### Why?
When the ThaliApp requests events information from the website, private information is revealed.
For example, the registration dates of every participant of an event and their member ids.
### Current implementation
When querying the API, data is returned that is private and seemingly unnecessary.
### Desired implementation
The API should only return necessary data.