[Bug]: Unrestricted dynamic __import__ in ajax_autocomplete

[devswithme]

Description

There is a critical vulnerability in esp/db/views.py where the ajax_autocomplete view accepted model_module and model_name directly from request.GET and passed them to import(). Any authenticated user could import and call methods on arbitrary Python modules on the server.

Steps to Reproduce

No response

Expected Behavior

No response

Actual Behavior

No response

Screenshots

No response

Operating System

No response

Browser

No response

Additional Context

No response

[github-actions]

👋 Thanks for opening your first issue here! We appreciate you taking the time to report this.

What happens next:

• A maintainer will review your issue and may ask follow-up questions
• Please check the existing issues to see if this has been reported before
• For setup help, see our documentation

We're a volunteer-run project, so responses may take some time. Thank you for your patience! 🙏

[willgearty]

Thanks for submitting this bug report. Linking to the problem in our codebase would be useful. Proposing a solution would also be helpful.

[logicwithharshal]

can i work on this issue?

[github-actions]

👋 Hi @logicwithharshal! It looks like you'd like to work on this issue. To get assigned, please comment /assign and I'll handle the rest.

📖 Getting Started · Contribution Rules · Code of Conduct

[logicwithharshal]

/assign

[github-actions]

✅ @logicwithharshal has been assigned to this issue. You have 5/5 issue(s) assigned.

📖 Getting Started · Contribution Rules · Code of Conduct

[devswithme]

/assign

[github-actions]

⚠️ Sorry @devswithme, this issue is already assigned to @logicwithharshal. Please look for another open issue to work on!

[devswithme]

Hi @logicwithharshal and @willgearty. Can I be assigned to this issue or is it irreversible? since I have pulled request before #5358 and opened the issue? Thanks for the understanding.

[github-actions]

⚠️ Sorry @devswithme, this issue is already assigned to @logicwithharshal. Please look for another open issue to work on!

📖 Getting Started · Contribution Rules · Code of Conduct