diff --git a/base_requirements.txt b/base_requirements.txt
index 59d4b8255..363f97b31 100644
--- a/base_requirements.txt
+++ b/base_requirements.txt
@@ -4,7 +4,7 @@ bleach
# The Python web framework on which NetBox is built
# https://github.com/django/django
-Django
+Django<4.1
# Django middleware which permits cross-domain API requests
# https://github.com/OttoYiu/django-cors-headers
diff --git a/docs/release-notes/version-3.2.md b/docs/release-notes/version-3.2.md
index 5e538890c..56a35cc02 100644
--- a/docs/release-notes/version-3.2.md
+++ b/docs/release-notes/version-3.2.md
@@ -1,6 +1,10 @@
# NetBox v3.2
-## v3.2.8 (FUTURE)
+## v3.2.9 (FUTURE)
+
+---
+
+## v3.2.8 (2022-08-08)
### Enhancements
@@ -11,13 +15,20 @@
* [#9881](https://github.com/netbox-community/netbox/issues/9881) - Increase granularity in utilization graph values
* [#9882](https://github.com/netbox-community/netbox/issues/9882) - Add manufacturer column to modules table
* [#9883](https://github.com/netbox-community/netbox/issues/9883) - Linkify location column in power panels table
+* [#9906](https://github.com/netbox-community/netbox/issues/9906) - Include `color` attribute in front & rear port YAML import/export
### Bug Fixes
+* [#9827](https://github.com/netbox-community/netbox/issues/9827) - Fix assignment of module bay position during bulk creation
* [#9871](https://github.com/netbox-community/netbox/issues/9871) - Fix utilization graph value alignments
* [#9884](https://github.com/netbox-community/netbox/issues/9884) - Prevent querying assigned VRF on prefix object init
* [#9885](https://github.com/netbox-community/netbox/issues/9885) - Fix child prefix counts when editing/deleting aggregates in bulk
* [#9891](https://github.com/netbox-community/netbox/issues/9891) - Ensure consistent ordering for tags during object serialization
+* [#9919](https://github.com/netbox-community/netbox/issues/9919) - Fix potential XSS avenue via linked objects in tables
+* [#9948](https://github.com/netbox-community/netbox/issues/9948) - Fix TypeError exception when requesting API tokens list as non-authenticated user
+* [#9949](https://github.com/netbox-community/netbox/issues/9949) - Fix KeyError exception resulting from invalid API token provisioning request
+* [#9950](https://github.com/netbox-community/netbox/issues/9950) - Prevent redirection to arbitrary URLs via `next` parameter on login URL
+* [#9952](https://github.com/netbox-community/netbox/issues/9952) - Prevent InvalidMove when attempting to assign a nested child object as parent
---
diff --git a/netbox/dcim/forms/object_import.py b/netbox/dcim/forms/object_import.py
index a51f48c5b..023aba8f1 100644
--- a/netbox/dcim/forms/object_import.py
+++ b/netbox/dcim/forms/object_import.py
@@ -156,7 +156,7 @@ class FrontPortTemplateImportForm(ComponentTemplateImportForm):
class Meta:
model = FrontPortTemplate
fields = [
- 'device_type', 'module_type', 'name', 'type', 'rear_port', 'rear_port_position', 'label', 'description',
+ 'device_type', 'module_type', 'name', 'type', 'color', 'rear_port', 'rear_port_position', 'label', 'description',
]
@@ -168,7 +168,7 @@ class RearPortTemplateImportForm(ComponentTemplateImportForm):
class Meta:
model = RearPortTemplate
fields = [
- 'device_type', 'module_type', 'name', 'type', 'positions', 'label', 'description',
+ 'device_type', 'module_type', 'name', 'type', 'color', 'positions', 'label', 'description',
]
diff --git a/netbox/dcim/models/device_component_templates.py b/netbox/dcim/models/device_component_templates.py
index 3fc1d4e61..b7079d375 100644
--- a/netbox/dcim/models/device_component_templates.py
+++ b/netbox/dcim/models/device_component_templates.py
@@ -478,6 +478,7 @@ class FrontPortTemplate(ModularComponentTemplateModel):
return {
'name': self.name,
'type': self.type,
+ 'color': self.color,
'rear_port': self.rear_port.name,
'rear_port_position': self.rear_port_position,
'label': self.label,
@@ -527,6 +528,7 @@ class RearPortTemplate(ModularComponentTemplateModel):
return {
'name': self.name,
'type': self.type,
+ 'color': self.color,
'positions': self.positions,
'label': self.label,
'description': self.description,
diff --git a/netbox/dcim/views.py b/netbox/dcim/views.py
index 4480bee6e..77c6b2218 100644
--- a/netbox/dcim/views.py
+++ b/netbox/dcim/views.py
@@ -2721,6 +2721,7 @@ class DeviceBulkAddModuleBayView(generic.BulkComponentCreateView):
filterset = filtersets.DeviceFilterSet
table = tables.DeviceTable
default_return_url = 'dcim:device_list'
+ patterned_fields = ('name', 'label', 'position')
class DeviceBulkAddDeviceBayView(generic.BulkComponentCreateView):
@@ -3066,7 +3067,7 @@ class VirtualChassisAddMemberView(ObjectPermissionRequiredMixin, GetReturnURLMix
if membership_form.is_valid():
membership_form.save()
- msg = 'Added member {}'.format(device.get_absolute_url(), escape(device))
+ msg = f'Added member {escape(device)}'
messages.success(request, mark_safe(msg))
if '_addanother' in request.POST:
@@ -3111,8 +3112,7 @@ class VirtualChassisRemoveMemberView(ObjectPermissionRequiredMixin, GetReturnURL
# Protect master device from being removed
virtual_chassis = VirtualChassis.objects.filter(master=device).first()
if virtual_chassis is not None:
- msg = 'Unable to remove master device {} from the virtual chassis.'.format(escape(device))
- messages.error(request, mark_safe(msg))
+ messages.error(request, f'Unable to remove master device {device} from the virtual chassis.')
return redirect(device.get_absolute_url())
if form.is_valid():
diff --git a/netbox/netbox/models/__init__.py b/netbox/netbox/models/__init__.py
index 2fe3503b7..b9d585952 100644
--- a/netbox/netbox/models/__init__.py
+++ b/netbox/netbox/models/__init__.py
@@ -109,9 +109,9 @@ class NestedGroupModel(NetBoxFeatureSet, MPTTModel):
super().clean()
# An MPTT model cannot be its own parent
- if self.pk and self.parent_id == self.pk:
+ if self.pk and self.parent and self.parent in self.get_descendants(include_self=True):
raise ValidationError({
- "parent": "Cannot assign self as parent."
+ "parent": f"Cannot assign self or child {self._meta.verbose_name} as parent."
})
diff --git a/netbox/netbox/tables/columns.py b/netbox/netbox/tables/columns.py
index 7da241566..f78b9f37c 100644
--- a/netbox/netbox/tables/columns.py
+++ b/netbox/netbox/tables/columns.py
@@ -7,6 +7,7 @@ from django.contrib.auth.models import AnonymousUser
from django.db.models import DateField, DateTimeField
from django.template import Context, Template
from django.urls import reverse
+from django.utils.html import escape
from django.utils.formats import date_format
from django.utils.safestring import mark_safe
from django_tables2.columns import library
@@ -428,8 +429,8 @@ class CustomFieldColumn(tables.Column):
@staticmethod
def _likify_item(item):
if hasattr(item, 'get_absolute_url'):
- return f'{item}'
- return item
+ return f'{escape(item)}'
+ return escape(item)
def render(self, value):
if self.customfield.type == CustomFieldTypeChoices.TYPE_BOOLEAN and value is True:
@@ -437,13 +438,13 @@ class CustomFieldColumn(tables.Column):
if self.customfield.type == CustomFieldTypeChoices.TYPE_BOOLEAN and value is False:
return mark_safe('')
if self.customfield.type == CustomFieldTypeChoices.TYPE_URL:
- return mark_safe(f'{value}')
+ return mark_safe(f'{escape(value)}')
if self.customfield.type == CustomFieldTypeChoices.TYPE_MULTISELECT:
return ', '.join(v for v in value)
if self.customfield.type == CustomFieldTypeChoices.TYPE_MULTIOBJECT:
- return mark_safe(', '.join([
+ return mark_safe(', '.join(
self._likify_item(obj) for obj in self.customfield.deserialize(value)
- ]))
+ ))
if value is not None:
obj = self.customfield.deserialize(value)
return mark_safe(self._likify_item(obj))
diff --git a/netbox/netbox/views/generic/bulk_views.py b/netbox/netbox/views/generic/bulk_views.py
index 20586c298..09b4fc8e9 100644
--- a/netbox/netbox/views/generic/bulk_views.py
+++ b/netbox/netbox/views/generic/bulk_views.py
@@ -770,6 +770,7 @@ class BulkComponentCreateView(GetReturnURLMixin, BaseMultiObjectView):
model_form = None
filterset = None
table = None
+ patterned_fields = ('name', 'label')
def get_required_permission(self):
return f'dcim.add_{self.queryset.model._meta.model_name}'
@@ -805,16 +806,16 @@ class BulkComponentCreateView(GetReturnURLMixin, BaseMultiObjectView):
for obj in data['pk']:
- names = data['name_pattern']
- labels = data['label_pattern'] if 'label_pattern' in data else None
- for i, name in enumerate(names):
- label = labels[i] if labels else None
-
+ pattern_count = len(data[f'{self.patterned_fields[0]}_pattern'])
+ for i in range(pattern_count):
component_data = {
- self.parent_field: obj.pk,
- 'name': name,
- 'label': label
+ self.parent_field: obj.pk
}
+
+ for field_name in self.patterned_fields:
+ if data.get(f'{field_name}_pattern'):
+ component_data[field_name] = data[f'{field_name}_pattern'][i]
+
component_data.update(data)
component_form = self.model_form(component_data)
if component_form.is_valid():
diff --git a/netbox/netbox/views/generic/object_views.py b/netbox/netbox/views/generic/object_views.py
index cb3f58123..5ff0cfdff 100644
--- a/netbox/netbox/views/generic/object_views.py
+++ b/netbox/netbox/views/generic/object_views.py
@@ -389,10 +389,10 @@ class ObjectEditView(GetReturnURLMixin, BaseObjectView):
)
logger.info(f"{msg} {obj} (PK: {obj.pk})")
if hasattr(obj, 'get_absolute_url'):
- msg = '{} {}'.format(msg, obj.get_absolute_url(), escape(obj))
+ msg = mark_safe(f'{msg} {escape(obj)}')
else:
- msg = '{} {}'.format(msg, escape(obj))
- messages.success(request, mark_safe(msg))
+ msg = f'{msg} {obj}'
+ messages.success(request, msg)
if '_addanother' in request.POST:
redirect_url = request.path
diff --git a/netbox/users/api/views.py b/netbox/users/api/views.py
index c3495afdf..66ef92ab7 100644
--- a/netbox/users/api/views.py
+++ b/netbox/users/api/views.py
@@ -58,6 +58,8 @@ class TokenViewSet(NetBoxModelViewSet):
# Workaround for schema generation (drf_yasg)
if getattr(self, 'swagger_fake_view', False):
return queryset.none()
+ if not self.request.user.is_authenticated:
+ return queryset.none()
if self.request.user.is_superuser:
return queryset
return queryset.filter(user=self.request.user)
@@ -74,11 +76,11 @@ class TokenProvisionView(APIView):
serializer.is_valid()
# Authenticate the user account based on the provided credentials
- user = authenticate(
- request=request,
- username=serializer.data['username'],
- password=serializer.data['password']
- )
+ username = serializer.data.get('username')
+ password = serializer.data.get('password')
+ if not username or not password:
+ raise AuthenticationFailed("Username and password must be provided to provision a token.")
+ user = authenticate(request=request, username=username, password=password)
if user is None:
raise AuthenticationFailed("Invalid username/password")
diff --git a/netbox/users/views.py b/netbox/users/views.py
index 1fb2baa62..06259b5ec 100644
--- a/netbox/users/views.py
+++ b/netbox/users/views.py
@@ -10,6 +10,7 @@ from django.http import HttpResponseRedirect
from django.shortcuts import get_object_or_404, redirect, render
from django.urls import reverse
from django.utils.decorators import method_decorator
+from django.utils.http import url_has_allowed_host_and_scheme
from django.views.decorators.debug import sensitive_post_parameters
from django.views.generic import View
from social_core.backends.utils import load_backends
@@ -92,7 +93,7 @@ class LoginView(View):
data = request.POST if request.method == "POST" else request.GET
redirect_url = data.get('next', settings.LOGIN_REDIRECT_URL)
- if redirect_url and redirect_url.startswith('/'):
+ if redirect_url and url_has_allowed_host_and_scheme(redirect_url, allowed_hosts=None):
logger.debug(f"Redirecting user to {redirect_url}")
else:
if redirect_url:
diff --git a/netbox/utilities/templatetags/builtins/filters.py b/netbox/utilities/templatetags/builtins/filters.py
index 5a6841286..bc395e438 100644
--- a/netbox/utilities/templatetags/builtins/filters.py
+++ b/netbox/utilities/templatetags/builtins/filters.py
@@ -86,8 +86,8 @@ def placeholder(value):
"""
if value not in ('', None):
return value
- placeholder = '—'
- return mark_safe(placeholder)
+
+ return mark_safe('—')
@register.filter()
diff --git a/netbox/utilities/templatetags/helpers.py b/netbox/utilities/templatetags/helpers.py
index db4d14c24..67ed553b2 100644
--- a/netbox/utilities/templatetags/helpers.py
+++ b/netbox/utilities/templatetags/helpers.py
@@ -109,9 +109,7 @@ def annotated_date(date_value):
long_ts = date(date_value, 'DATETIME_FORMAT')
short_ts = date(date_value, 'SHORT_DATETIME_FORMAT')
- span = f'{short_ts}'
-
- return mark_safe(span)
+ return mark_safe(f'{short_ts}')
@register.simple_tag
diff --git a/requirements.txt b/requirements.txt
index 8a7dd79d4..d6f7b4349 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -26,7 +26,7 @@ netaddr==0.8.0
Pillow==9.2.0
psycopg2-binary==2.9.3
PyYAML==6.0
-sentry-sdk==1.9.0
+sentry-sdk==1.9.2
social-auth-app-django==5.0.0
social-auth-core==4.3.0
svgwrite==1.4.3