From d3372830955d7d94df8598559863b89feabb2e1a Mon Sep 17 00:00:00 2001 From: Arthur Date: Fri, 13 Oct 2023 10:10:45 -0700 Subject: [PATCH] 14025 fix script name checking --- netbox/extras/views.py | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/netbox/extras/views.py b/netbox/extras/views.py index c60314b94..04ba8c774 100644 --- a/netbox/extras/views.py +++ b/netbox/extras/views.py @@ -3,7 +3,7 @@ from django.contrib.auth.mixins import LoginRequiredMixin from django.contrib.contenttypes.models import ContentType from django.core.paginator import EmptyPage from django.db.models import Count, Q -from django.http import HttpResponseBadRequest, HttpResponseForbidden, HttpResponse +from django.http import HttpResponseBadRequest, HttpResponseForbidden, HttpResponse, Http404 from django.shortcuts import get_object_or_404, redirect, render from django.urls import reverse from django.utils.translation import gettext as _ @@ -1151,13 +1151,30 @@ class ScriptListView(ContentTypePermissionRequiredMixin, View): }) +def get_script_module(module, request): + modules = ScriptModule.objects.restrict(request.user).filter(file_path__startswith=module) + if not modules: + raise Http404 + + if len(modules) == 1: + return modules[0] + + # module is without the ".py" so startswith=module can return multiple if the file_path has + # two modules starting with the same characters "test.py" and "testfile.py" + for obj in modules: + if obj.file_path == module or obj.file_path == module + ".py": + return obj + + raise Http404 + + class ScriptView(ContentTypePermissionRequiredMixin, View): def get_required_permission(self): return 'extras.view_script' def get(self, request, module, name): - module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module + ".py") + module = get_script_module(module, request) script = module.scripts[name]() form = script.as_form(initial=normalize_querydict(request.GET)) @@ -1181,7 +1198,7 @@ class ScriptView(ContentTypePermissionRequiredMixin, View): if not request.user.has_perm('extras.run_script'): return HttpResponseForbidden() - module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module) + module = get_script_module(module, request) script = module.scripts[name]() form = script.as_form(request.POST, request.FILES) @@ -1218,7 +1235,7 @@ class ScriptSourceView(ContentTypePermissionRequiredMixin, View): return 'extras.view_script' def get(self, request, module, name): - module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module) + module = get_script_module(module, request) script = module.scripts[name]() return render(request, 'extras/script/source.html', { @@ -1234,7 +1251,7 @@ class ScriptJobsView(ContentTypePermissionRequiredMixin, View): return 'extras.view_script' def get(self, request, module, name): - module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module) + module = get_script_module(module, request) script = module.scripts[name]() object_type = ContentType.objects.get(app_label='extras', model='scriptmodule')