NeoAnd/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2025-07-25 01:48:38 -06:00
Code Issues Actions 9 Packages Projects Releases Wiki Activity

14025 fix script name checking (#14030)

Browse Source 
* 14025 fix script name checking

* 14025 fix script name checking

* 14025 add file extension validation and simplify get logic

* 14025 match start of string with regex

* 14025 backout changes to model_forms

* 14025 add filepatch checking to reports
This commit is contained in:
Arthur Hanson 2023-10-17 07:57:50 -07:00 committed by GitHub
parent d77d45e795
commit 7983c2590e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
netbox/extras/views.py
View File

@ -978,6 +978,10 @@ class ReportListView(ContentTypePermissionRequiredMixin, View):
}) })
def get_report_module(module, request):
return get_object_or_404(ReportModule.objects.restrict(request.user), file_path__regex=f"^{module}\\.")
class ReportView(ContentTypePermissionRequiredMixin, View): class ReportView(ContentTypePermissionRequiredMixin, View):
""" """
Display a single Report and its associated Job (if any). Display a single Report and its associated Job (if any).
@ -986,7 +990,7 @@ class ReportView(ContentTypePermissionRequiredMixin, View):
return 'extras.view_report' return 'extras.view_report'
def get(self, request, module, name): def get(self, request, module, name):
module = get_object_or_404(ReportModule.objects.restrict(request.user), file_path__startswith=module) module = get_report_module(module, request)
report = module.reports[name]() report = module.reports[name]()
object_type = ContentType.objects.get(app_label='extras', model='reportmodule') object_type = ContentType.objects.get(app_label='extras', model='reportmodule')
@ -1007,7 +1011,7 @@ class ReportView(ContentTypePermissionRequiredMixin, View):
if not request.user.has_perm('extras.run_report'): if not request.user.has_perm('extras.run_report'):
return HttpResponseForbidden() return HttpResponseForbidden()
module = get_object_or_404(ReportModule.objects.restrict(request.user), file_path__startswith=module) module = get_report_module(module, request)
report = module.reports[name]() report = module.reports[name]()
form = ReportForm(request.POST, scheduling_enabled=report.scheduling_enabled) form = ReportForm(request.POST, scheduling_enabled=report.scheduling_enabled)
@ -1046,7 +1050,7 @@ class ReportSourceView(ContentTypePermissionRequiredMixin, View):
return 'extras.view_report' return 'extras.view_report'
def get(self, request, module, name): def get(self, request, module, name):
module = get_object_or_404(ReportModule.objects.restrict(request.user), file_path__startswith=module) module = get_report_module(module, request)
report = module.reports[name]() report = module.reports[name]()
return render(request, 'extras/report/source.html', { return render(request, 'extras/report/source.html', {
@ -1062,7 +1066,7 @@ class ReportJobsView(ContentTypePermissionRequiredMixin, View):
return 'extras.view_report' return 'extras.view_report'
def get(self, request, module, name): def get(self, request, module, name):
module = get_object_or_404(ReportModule.objects.restrict(request.user), file_path__startswith=module) module = get_report_module(module, request)
report = module.reports[name]() report = module.reports[name]()
object_type = ContentType.objects.get(app_label='extras', model='reportmodule') object_type = ContentType.objects.get(app_label='extras', model='reportmodule')
@ -1151,13 +1155,17 @@ class ScriptListView(ContentTypePermissionRequiredMixin, View):
}) })
def get_script_module(module, request):
return get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__regex=f"^{module}\\.")
class ScriptView(ContentTypePermissionRequiredMixin, View): class ScriptView(ContentTypePermissionRequiredMixin, View):
def get_required_permission(self): def get_required_permission(self):
return 'extras.view_script' return 'extras.view_script'
def get(self, request, module, name): def get(self, request, module, name):
module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module) module = get_script_module(module, request)
script = module.scripts[name]() script = module.scripts[name]()
form = script.as_form(initial=normalize_querydict(request.GET)) form = script.as_form(initial=normalize_querydict(request.GET))
@ -1181,7 +1189,7 @@ class ScriptView(ContentTypePermissionRequiredMixin, View):
if not request.user.has_perm('extras.run_script'): if not request.user.has_perm('extras.run_script'):
return HttpResponseForbidden() return HttpResponseForbidden()
module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module) module = get_script_module(module, request)
script = module.scripts[name]() script = module.scripts[name]()
form = script.as_form(request.POST, request.FILES) form = script.as_form(request.POST, request.FILES)
@ -1218,7 +1226,7 @@ class ScriptSourceView(ContentTypePermissionRequiredMixin, View):
return 'extras.view_script' return 'extras.view_script'
def get(self, request, module, name): def get(self, request, module, name):
module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module) module = get_script_module(module, request)
script = module.scripts[name]() script = module.scripts[name]()
return render(request, 'extras/script/source.html', { return render(request, 'extras/script/source.html', {
@ -1234,7 +1242,7 @@ class ScriptJobsView(ContentTypePermissionRequiredMixin, View):
return 'extras.view_script' return 'extras.view_script'
def get(self, request, module, name): def get(self, request, module, name):
module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module) module = get_script_module(module, request)
script = module.scripts[name]() script = module.scripts[name]()
object_type = ContentType.objects.get(app_label='extras', model='scriptmodule') object_type = ContentType.objects.get(app_label='extras', model='scriptmodule')