From e4790f906073af7819510483fb819bf56d2f156e Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 23 Aug 2021 15:17:13 +0200
Subject: [PATCH] core: handle error when ?for_user is not numberical

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/core/api/applications.py   | 5 ++++-
 authentik/root/asgi/app.py           | 2 --
 authentik/root/asgi/error_handler.py | 3 ++-
 authentik/root/asgi/types.py         | 1 +
 4 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/authentik/core/api/applications.py b/authentik/core/api/applications.py
index 7c9dced9df..02c19844fa 100644
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@@ -122,7 +122,10 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         # If the current user is superuser, they can set `for_user`
         for_user = request.user
         if request.user.is_superuser and "for_user" in request.query_params:
-            for_user = get_object_or_404(User, pk=request.query_params.get("for_user"))
+            try:
+                for_user = get_object_or_404(User, pk=request.query_params.get("for_user"))
+            except ValueError:
+                return HttpResponseBadRequest("for_user must be numerical")
         engine = PolicyEngine(application, for_user, request)
         engine.use_cache = False
         engine.build()
diff --git a/authentik/root/asgi/app.py b/authentik/root/asgi/app.py
index 81e6cb0514..97bbb53009 100644
--- a/authentik/root/asgi/app.py
+++ b/authentik/root/asgi/app.py
@@ -6,8 +6,6 @@ It exposes the ASGI callable as a module-level variable named ``application``.
 For more information on this file, see
 https://docs.djangoproject.com/en/3.0/howto/deployment/asgi/
 """
-from time import time
-
 import django
 from asgiref.compatibility import guarantee_single_callable
 from channels.routing import ProtocolTypeRouter, URLRouter
diff --git a/authentik/root/asgi/error_handler.py b/authentik/root/asgi/error_handler.py
index 8e76c5777f..1124b56f56 100644
--- a/authentik/root/asgi/error_handler.py
+++ b/authentik/root/asgi/error_handler.py
@@ -17,11 +17,12 @@ class ASGIErrorHandler:
     async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
         try:
             return await self.app(scope, receive, send)
-        except Exception as exc:  # pylint: disable=
+        except Exception as exc:  # pylint: disable=broad-except
             LOGGER.warning("Fatal ASGI exception", exc=exc)
             return await self.error_handler(send)
 
     async def error_handler(self, send: Send) -> None:
+        """Return a generic error message"""
         return await send(
             {
                 "type": "http.request",
diff --git a/authentik/root/asgi/types.py b/authentik/root/asgi/types.py
index 842410a755..4d82a197de 100644
--- a/authentik/root/asgi/types.py
+++ b/authentik/root/asgi/types.py
@@ -1,3 +1,4 @@
+"""ASGI Types"""
 import typing
 
 # See https://github.com/encode/starlette/blob/master/starlette/types.py