sartography
/
cr-connect-workflow
mirror of https://github.com/sartography/cr-connect-workflow.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #507 from sartography/bug/validating_data_security 

Bug/validating data security #684
This commit is contained in:
Mike Cullerton 2022-03-29 09:41:02 -04:00 committed by GitHub
parent 244fced84d b884ce4c3a
commit 6ff0cdbb9d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 242 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
crc/services/workflow_service.py
View File

@ -315,7 +315,7 @@ class WorkflowService(object):
if field.label:
try:
# Assure that we can evaluate the field.label, but no need to save the resulting value.
task.workflow.script_engine._evaluate(field.label, data, task)
task.workflow.script_engine._evaluate(field.label, form_data, task)
except Exception as e:
raise ApiError.from_task("bad label", f'The label "{field.label}" in field {field.id} '
f'could not be understood or evaluated. ',
@ -346,7 +346,8 @@ class WorkflowService(object):
# If the field is hidden we can leave it as none.
if field.has_property(Task.FIELD_PROP_HIDE_EXPRESSION):
if WorkflowService.evaluate_property(Task.FIELD_PROP_HIDE_EXPRESSION, field, task):
if WorkflowService.evaluate_property(Task.FIELD_PROP_HIDE_EXPRESSION, field, task, form_data):
continue
# If we are only populating required fields, and this isn't required. stop here.
@ -373,7 +374,7 @@ class WorkflowService(object):
f'for repeat and group expressions that is not also used for a field name.'
, task=task)
if field.has_property(Task.FIELD_PROP_REPEAT_HIDE_EXPRESSION):
result = WorkflowService.evaluate_property(Task.FIELD_PROP_REPEAT_HIDE_EXPRESSION, field, task)
result = WorkflowService.evaluate_property(Task.FIELD_PROP_REPEAT_HIDE_EXPRESSION, field, task, form_data)
if not result:
hide_groups.append(group)
if group not in form_data and group not in hide_groups:
@ -468,10 +469,11 @@ class WorkflowService(object):
DataStoreBase().set_data_common(task.id, None, None, None, None, None, file_id, *data_args)
@staticmethod
def evaluate_property(property_name, field, task):
def evaluate_property(property_name, field, task, task_data=None):
expression = field.get_property(property_name)
data = copy.deepcopy(task.data)
if not task_data:
task_data = task.data
data = copy.deepcopy(task_data)
# If there's a field key with no initial value, give it one (None)
for other_field in task.task_spec.form.fields:
if other_field.id not in data:
@ -481,12 +483,12 @@ class WorkflowService(object):
# Then you must evaluate the expression based on the data within the group, if that data exists.
# There may not be data available in the group, if no groups were added
group = field.get_property(Task.FIELD_PROP_REPEAT)
if group in task.data and len(task.data[group]) > 0:
if group in task_data and len(task_data[group]) > 0:
# Here we must make the current group data top level (as it would be in a repeat section) but
# make all other top level task data available as well.
new_data = copy.deepcopy(task.data)
new_data = copy.deepcopy(task_data)
del (new_data[group])
data = task.data[group][0]
data = task_data[group][0]
data.update(new_data)
else:
return None # We may not have enough information to process this

106
tests/data/eval_hidden_property_display/eval_hidden_property_display.bpmn Normal file
View File

@ -0,0 +1,106 @@
<?xml version="1.0" encoding="UTF-8"?>
<bpmn:definitions xmlns:bpmn="http://www.omg.org/spec/BPMN/20100524/MODEL" xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI" xmlns:dc="http://www.omg.org/spec/DD/20100524/DC" xmlns:camunda="http://camunda.org/schema/1.0/bpmn" xmlns:di="http://www.omg.org/spec/DD/20100524/DI" id="Definitions_1czc92c" targetNamespace="http://bpmn.io/schema/bpmn" exporter="Camunda Modeler" exporterVersion="4.2.0">
<bpmn:process id="Process_0jnv7pf" isExecutable="true">
<bpmn:startEvent id="StartEvent_1">
<bpmn:outgoing>Flow_1afe16z</bpmn:outgoing>
</bpmn:startEvent>
<bpmn:sequenceFlow id="Flow_1afe16z" sourceRef="StartEvent_1" targetRef="Activity_GetData" />
<bpmn:userTask id="Activity_GetData" name="Get Data" camunda:formKey="DataForm">
<bpmn:extensionElements>
<camunda:formData>
<camunda:formField id="field_a" label="&#39;Field A&#39;" type="boolean" defaultValue="True">
<camunda:validation>
<camunda:constraint name="required" config="True" />
</camunda:validation>
</camunda:formField>
<camunda:formField id="field_b" label="&#39;Field B&#39;" type="enum">
<camunda:properties>
<camunda:property id="group" value="My Group" />
<camunda:property id="hide_expression" value="not field_a" />
<camunda:property id="enum_type" value="radio" />
</camunda:properties>
<camunda:validation>
<camunda:constraint name="required" config="True" />
</camunda:validation>
<camunda:value id="Yes" name="Yes, it will happen" />
<camunda:value id="No" name="No, it will not happen" />
</camunda:formField>
<camunda:formField id="field_c" label="&#39;Field C&#39; " type="boolean">
<camunda:properties>
<camunda:property id="group" value="My Group" />
<camunda:property id="hide_expression" value="not field_a" />
</camunda:properties>
<camunda:validation>
<camunda:constraint name="required" config="True" />
</camunda:validation>
</camunda:formField>
</camunda:formData>
</bpmn:extensionElements>
<bpmn:incoming>Flow_1afe16z</bpmn:incoming>
<bpmn:outgoing>Flow_1rdirmd</bpmn:outgoing>
</bpmn:userTask>
<bpmn:sequenceFlow id="Flow_1rdirmd" sourceRef="Activity_GetData" targetRef="Activity_06vgshs" />
<bpmn:scriptTask id="Activity_06vgshs" name="Process Data">
<bpmn:incoming>Flow_1rdirmd</bpmn:incoming>
<bpmn:outgoing>Flow_1a0iaov</bpmn:outgoing>
<bpmn:script>val_b = 'None'
val_c = 'None'
if field_a:
val_b = field_b
val_c = field_c</bpmn:script>
</bpmn:scriptTask>
<bpmn:sequenceFlow id="Flow_1a0iaov" sourceRef="Activity_06vgshs" targetRef="Activity_1oa7yli" />
<bpmn:endEvent id="Event_1hh5chb">
<bpmn:incoming>Flow_09i512s</bpmn:incoming>
</bpmn:endEvent>
<bpmn:sequenceFlow id="Flow_09i512s" sourceRef="Activity_1oa7yli" targetRef="Event_1hh5chb" />
<bpmn:manualTask id="Activity_1oa7yli" name="Display Data">
<bpmn:documentation>## Values
### B
{{ val_b }}
### C
{{ val_c }}</bpmn:documentation>
<bpmn:incoming>Flow_1a0iaov</bpmn:incoming>
<bpmn:outgoing>Flow_09i512s</bpmn:outgoing>
</bpmn:manualTask>
</bpmn:process>
<bpmndi:BPMNDiagram id="BPMNDiagram_1">
<bpmndi:BPMNPlane id="BPMNPlane_1" bpmnElement="Process_0jnv7pf">
<bpmndi:BPMNEdge id="Flow_1afe16z_di" bpmnElement="Flow_1afe16z">
<di:waypoint x="215" y="117" />
<di:waypoint x="270" y="117" />
</bpmndi:BPMNEdge>
<bpmndi:BPMNEdge id="Flow_1rdirmd_di" bpmnElement="Flow_1rdirmd">
<di:waypoint x="370" y="117" />
<di:waypoint x="430" y="117" />
</bpmndi:BPMNEdge>
<bpmndi:BPMNEdge id="Flow_1a0iaov_di" bpmnElement="Flow_1a0iaov">
<di:waypoint x="530" y="117" />
<di:waypoint x="590" y="117" />
</bpmndi:BPMNEdge>
<bpmndi:BPMNEdge id="Flow_09i512s_di" bpmnElement="Flow_09i512s">
<di:waypoint x="690" y="117" />
<di:waypoint x="752" y="117" />
</bpmndi:BPMNEdge>
<bpmndi:BPMNShape id="_BPMNShape_StartEvent_2" bpmnElement="StartEvent_1">
<dc:Bounds x="179" y="99" width="36" height="36" />
</bpmndi:BPMNShape>
<bpmndi:BPMNShape id="Activity_1erp6or_di" bpmnElement="Activity_GetData">
<dc:Bounds x="270" y="77" width="100" height="80" />
</bpmndi:BPMNShape>
<bpmndi:BPMNShape id="Activity_0q9ghf5_di" bpmnElement="Activity_06vgshs">
<dc:Bounds x="430" y="77" width="100" height="80" />
</bpmndi:BPMNShape>
<bpmndi:BPMNShape id="Event_1hh5chb_di" bpmnElement="Event_1hh5chb">
<dc:Bounds x="752" y="99" width="36" height="36" />
</bpmndi:BPMNShape>
<bpmndi:BPMNShape id="Activity_010f8pg_di" bpmnElement="Activity_1oa7yli">
<dc:Bounds x="590" y="77" width="100" height="80" />
</bpmndi:BPMNShape>
</bpmndi:BPMNPlane>
</bpmndi:BPMNDiagram>
</bpmn:definitions>

106
tests/data/eval_hidden_property_hide/eval_hidden_property_hide.bpmn Normal file
View File

@ -0,0 +1,106 @@
<?xml version="1.0" encoding="UTF-8"?>
<bpmn:definitions xmlns:bpmn="http://www.omg.org/spec/BPMN/20100524/MODEL" xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI" xmlns:dc="http://www.omg.org/spec/DD/20100524/DC" xmlns:camunda="http://camunda.org/schema/1.0/bpmn" xmlns:di="http://www.omg.org/spec/DD/20100524/DI" id="Definitions_1czc92c" targetNamespace="http://bpmn.io/schema/bpmn" exporter="Camunda Modeler" exporterVersion="4.2.0">
<bpmn:process id="Process_0jnv7pf" isExecutable="true">
<bpmn:startEvent id="StartEvent_1">
<bpmn:outgoing>Flow_1afe16z</bpmn:outgoing>
</bpmn:startEvent>
<bpmn:sequenceFlow id="Flow_1afe16z" sourceRef="StartEvent_1" targetRef="Activity_GetData" />
<bpmn:userTask id="Activity_GetData" name="Get Data" camunda:formKey="DataForm">
<bpmn:extensionElements>
<camunda:formData>
<camunda:formField id="field_a" label="&#39;Field A&#39;" type="boolean" defaultValue="False">
<camunda:validation>
<camunda:constraint name="required" config="True" />
</camunda:validation>
</camunda:formField>
<camunda:formField id="field_b" label="&#39;Field B&#39;" type="enum">
<camunda:properties>
<camunda:property id="group" value="My Group" />
<camunda:property id="hide_expression" value="not field_a" />
<camunda:property id="enum_type" value="radio" />
</camunda:properties>
<camunda:validation>
<camunda:constraint name="required" config="True" />
</camunda:validation>
<camunda:value id="Yes" name="Yes, it will happen" />
<camunda:value id="No" name="No, it will not happen" />
</camunda:formField>
<camunda:formField id="field_c" label="&#39;Field C&#39; " type="boolean">
<camunda:properties>
<camunda:property id="group" value="My Group" />
<camunda:property id="hide_expression" value="not field_a" />
</camunda:properties>
<camunda:validation>
<camunda:constraint name="required" config="True" />
</camunda:validation>
</camunda:formField>
</camunda:formData>
</bpmn:extensionElements>
<bpmn:incoming>Flow_1afe16z</bpmn:incoming>
<bpmn:outgoing>Flow_1rdirmd</bpmn:outgoing>
</bpmn:userTask>
<bpmn:sequenceFlow id="Flow_1rdirmd" sourceRef="Activity_GetData" targetRef="Activity_06vgshs" />
<bpmn:scriptTask id="Activity_06vgshs" name="Process Data">
<bpmn:incoming>Flow_1rdirmd</bpmn:incoming>
<bpmn:outgoing>Flow_1a0iaov</bpmn:outgoing>
<bpmn:script>val_b = 'None'
val_c = 'None'
if field_a:
val_b = field_b
val_c = field_c</bpmn:script>
</bpmn:scriptTask>
<bpmn:sequenceFlow id="Flow_1a0iaov" sourceRef="Activity_06vgshs" targetRef="Activity_1oa7yli" />
<bpmn:endEvent id="Event_1hh5chb">
<bpmn:incoming>Flow_09i512s</bpmn:incoming>
</bpmn:endEvent>
<bpmn:sequenceFlow id="Flow_09i512s" sourceRef="Activity_1oa7yli" targetRef="Event_1hh5chb" />
<bpmn:manualTask id="Activity_1oa7yli" name="Display Data">
<bpmn:documentation>## Values
### B
{{ val_b }}
### C
{{ val_c }}</bpmn:documentation>
<bpmn:incoming>Flow_1a0iaov</bpmn:incoming>
<bpmn:outgoing>Flow_09i512s</bpmn:outgoing>
</bpmn:manualTask>
</bpmn:process>
<bpmndi:BPMNDiagram id="BPMNDiagram_1">
<bpmndi:BPMNPlane id="BPMNPlane_1" bpmnElement="Process_0jnv7pf">
<bpmndi:BPMNEdge id="Flow_09i512s_di" bpmnElement="Flow_09i512s">
<di:waypoint x="690" y="117" />
<di:waypoint x="752" y="117" />
</bpmndi:BPMNEdge>
<bpmndi:BPMNEdge id="Flow_1a0iaov_di" bpmnElement="Flow_1a0iaov">
<di:waypoint x="530" y="117" />
<di:waypoint x="590" y="117" />
</bpmndi:BPMNEdge>
<bpmndi:BPMNEdge id="Flow_1rdirmd_di" bpmnElement="Flow_1rdirmd">
<di:waypoint x="370" y="117" />
<di:waypoint x="430" y="117" />
</bpmndi:BPMNEdge>
<bpmndi:BPMNEdge id="Flow_1afe16z_di" bpmnElement="Flow_1afe16z">
<di:waypoint x="215" y="117" />
<di:waypoint x="270" y="117" />
</bpmndi:BPMNEdge>
<bpmndi:BPMNShape id="_BPMNShape_StartEvent_2" bpmnElement="StartEvent_1">
<dc:Bounds x="179" y="99" width="36" height="36" />
</bpmndi:BPMNShape>
<bpmndi:BPMNShape id="Activity_1erp6or_di" bpmnElement="Activity_GetData">
<dc:Bounds x="270" y="77" width="100" height="80" />
</bpmndi:BPMNShape>
<bpmndi:BPMNShape id="Activity_0q9ghf5_di" bpmnElement="Activity_06vgshs">
<dc:Bounds x="430" y="77" width="100" height="80" />
</bpmndi:BPMNShape>
<bpmndi:BPMNShape id="Event_1hh5chb_di" bpmnElement="Event_1hh5chb">
<dc:Bounds x="752" y="99" width="36" height="36" />
</bpmndi:BPMNShape>
<bpmndi:BPMNShape id="Activity_010f8pg_di" bpmnElement="Activity_1oa7yli">
<dc:Bounds x="590" y="77" width="100" height="80" />
</bpmndi:BPMNShape>
</bpmndi:BPMNPlane>
</bpmndi:BPMNDiagram>
</bpmn:definitions>

19
tests/workflow/test_evaluate_hidden_property.py Normal file
View File

@ -0,0 +1,19 @@
from tests.base_test import BaseTest
from crc.services.workflow_service import WorkflowService
class TestEvaluateHiddenProperty(BaseTest):
def test_validate_evaluate_hidden_property_hide(self):
spec_model = self.load_test_spec('eval_hidden_property_hide')
result = WorkflowService.test_spec(spec_model.id)
self.assertEqual(result['field_a'], False)
self.assertNotIn('field_b', result)
self.assertNotIn('field_c', result)
def test_validate_evaluate_hidden_property_display(self):
spec_model = self.load_test_spec('eval_hidden_property_display')
result = WorkflowService.test_spec(spec_model.id)
self.assertEqual(result['field_a'], True)
self.assertIn(result['field_b'], ['Yes', 'No'])
self.assertIn(result['field_c'], [True, False])