From be1c271ec7022bf1aad74d13d00754f68384f906 Mon Sep 17 00:00:00 2001
From: Richard Blechinger <hello@pretzelhands.com>
Date: Fri, 19 Nov 2021 10:35:22 +0100
Subject: [PATCH] Add some more validation

---
 program/views.py | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/program/views.py b/program/views.py
index 480307ce..15655307 100644
--- a/program/views.py
+++ b/program/views.py
@@ -535,10 +535,17 @@ class APITimeSlotViewSet(viewsets.ModelViewSet):
             start = datetime.combine(datetime.strptime(self.request.query_params.get('start'), '%Y-%m-%d').date(), time(0, 0))
             end = datetime.combine(datetime.strptime(self.request.query_params.get('end'), '%Y-%m-%d').date(), time(23, 59))
 
-        # Is this safe?
-        order = self.request.query_params.get('order', '-start')
+        default_order = '-start'
+        order = self.request.query_params.get('order', default_order)
 
-        if ('surrounding' in self.request.query_params):
+        # If someone tries to sort by a field that isn't available on the model
+        # we silently ignore that and use the default sort order.
+        model_fields = [field.name for field in TimeSlot._meta.get_fields()]
+        if order not in model_fields:
+            order = default_order
+
+
+        if 'surrounding' in self.request.query_params:
             today = datetime.today()
 
             nearest_timeslots_in_future = TimeSlot.objects.filter(start__gte=today).order_by('start').values_list('id', flat=True)[:5]
-- 
GitLab