Don't reveal non-existence of org

webrecorder · Nov 22, 2024 · 86f6d9b · 86f6d9b
1 parent a02f9aa
commit 86f6d9b
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/backend/btrixcloud/colls.py b/backend/btrixcloud/colls.py
@@ -399,11 +399,19 @@ async def add_successful_crawl_to_collections(self, crawl_id: str, cid: UUID):
 
     async def get_org_public_collections(self, org_slug: str):
         """List public collections for org"""
-        org = await self.orgs.get_org_by_slug(org_slug)
+        try:
+            org = await self.orgs.get_org_by_slug(org_slug)
+        # pylint: disable=broad-exception-caught
+        except Exception:
+            raise HTTPException(status_code=404, detail="public_collections_not_found")
+
         collections, _ = await self.list_collections(
             org.id,
             access=CollAccessType.PUBLIC
         )
+        if not collections:
+            raise HTTPException(status_code=404, detail="public_collections_not_found")
+
         return OrgPublicCollections(
             name=org.name,
             collections=collections

diff --git a/backend/test/test_collections.py b/backend/test/test_collections.py
@@ -766,9 +766,12 @@ def test_list_public_collections(
         assert collection["id"] in (_public_coll_id, second_public_coll_id)
         assert collection["access"] == "public"
 
-    # Test non-existing slug
+    # Test non-existing slug - it should return a 404 specifying that
+    # public collections weren't found but not reveal whether or not
+    # an org exists with that slug
     r = requests.get(f"{API_PREFIX}/orgs/nonexistentslug/collections/public")
     assert r.status_code == 404
+    assert r.json()["detail"] == "public_collections_not_found"
 
 
 def test_delete_collection(crawler_auth_headers, default_org_id, crawler_crawl_id):