Custom input field names are not checked by backend

[wagner-intevation]

The frontend shows custom input fields according to the configuration parameter custom_input_fields. On validation and submission, the data is sent from the browser to the backend as dict named custom, for example:

  "custom": {
    "custom_classification.type": "infected-system",
    "custom_extra.target_groups": [
      "Target group:Provider",
      "Target group:Government"
    ],
    "custom_classification.identifier": "test",
    "custom_feed.code": "oneshot",
    "custom_feed.name": "oneshot-csv",
    "custom_extra.template_prefix": "",
    "custom_source.fqdn": "example.com"
  }

The backend does not check if these field names sent by the browser are actually allowed in the configuration, a user could add any fields.

As the users are generally trusted and the configuration parameter is more a help to the user than a restriction, this is not critical, but should be addressed at some point.

[wagner-intevation]

The check could be added here:

intelmq-webinput-csv/intelmq_webinput_csv/serve.py

Lines 213 to 214 in 8874df2

	for key, value in body['custom'].items():
	if key.startswith('custom_') and key[7:] not in event:

something like:

if key.startswith('custom_') and key[7:] not in CONFIG.get('custom_input_fields', {}):
    raise ValueError("not allowed per configuration ...")