analytics: Remove buggy HttpResponseNotFound text.

Had this been in normal route, this would have been an XSS bug, as we
were passing what the developer clearly believed to be plain text into
an HTML 404 page.

The affected routes have @require_server_admin, a permission that we
do not expect any self-hosted users to have ever enabled (as it is
undocumented and doing so is only possible manually via a `manage.py
shell`, and we believe to only be useful for running a SaaS service
like zulip.com).  So the security impact is limited to a handful of
staff of zulip.com and this isn't a candidate for a CVE.

Thanks to GitHub's CodeQL for finding this.
This commit is contained in:
Tim Abbott 2021-03-18 11:31:52 -07:00
parent 209c89be10
commit 0da1bd43e9
1 changed files with 2 additions and 2 deletions

View File

@ -149,7 +149,7 @@ def stats_for_realm(request: HttpRequest, realm_str: str) -> HttpResponse:
try: try:
realm = get_realm(realm_str) realm = get_realm(realm_str)
except Realm.DoesNotExist: except Realm.DoesNotExist:
return HttpResponseNotFound(f"Realm {realm_str} does not exist") return HttpResponseNotFound()
return render_stats( return render_stats(
request, request,
@ -1729,7 +1729,7 @@ def get_realm_activity(request: HttpRequest, realm_str: str) -> HttpResponse:
try: try:
admins = Realm.objects.get(string_id=realm_str).get_human_admin_users() admins = Realm.objects.get(string_id=realm_str).get_human_admin_users()
except Realm.DoesNotExist: except Realm.DoesNotExist:
return HttpResponseNotFound(f"Realm {realm_str} does not exist") return HttpResponseNotFound()
admin_emails = {admin.delivery_email for admin in admins} admin_emails = {admin.delivery_email for admin in admins}