14025 fix script name checking

2025-08-23 07:56:44 -06:00 · 2023-10-13 10:10:45 -07:00 · 2023-10-13 10:10:45 -07:00 · d337283095
commit d337283095
parent 3538508639
1 changed files with 22 additions and 5 deletions
--- a/netbox/extras/views.py
+++ b/netbox/extras/views.py
@ -3,7 +3,7 @@ from django.contrib.auth.mixins import LoginRequiredMixin
 from django.contrib.contenttypes.models import ContentType
 from django.core.paginator import EmptyPage
 from django.db.models import Count, Q
-from django.http import HttpResponseBadRequest, HttpResponseForbidden, HttpResponse
+from django.http import HttpResponseBadRequest, HttpResponseForbidden, HttpResponse, Http404
 from django.shortcuts import get_object_or_404, redirect, render
 from django.urls import reverse
 from django.utils.translation import gettext as _
@ -1151,13 +1151,30 @@ class ScriptListView(ContentTypePermissionRequiredMixin, View):
        })


+def get_script_module(module, request):
+    modules = ScriptModule.objects.restrict(request.user).filter(file_path__startswith=module)
+    if not modules:
+        raise Http404
+
+    if len(modules) == 1:
+        return modules[0]
+
+    # module is without the ".py" so startswith=module can return multiple if the file_path has
+    # two modules starting with the same characters "test.py" and "testfile.py"
+    for obj in modules:
+        if obj.file_path == module or obj.file_path == module + ".py":
+            return obj
+
+    raise Http404
+
+
 class ScriptView(ContentTypePermissionRequiredMixin, View):

    def get_required_permission(self):
        return 'extras.view_script'

    def get(self, request, module, name):
-        module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module + ".py")
+        module = get_script_module(module, request)
        script = module.scripts[name]()
        form = script.as_form(initial=normalize_querydict(request.GET))

@ -1181,7 +1198,7 @@ class ScriptView(ContentTypePermissionRequiredMixin, View):
        if not request.user.has_perm('extras.run_script'):
            return HttpResponseForbidden()

-        module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module)
+        module = get_script_module(module, request)
        script = module.scripts[name]()
        form = script.as_form(request.POST, request.FILES)

@ -1218,7 +1235,7 @@ class ScriptSourceView(ContentTypePermissionRequiredMixin, View):
        return 'extras.view_script'

    def get(self, request, module, name):
-        module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module)
+        module = get_script_module(module, request)
        script = module.scripts[name]()

        return render(request, 'extras/script/source.html', {
@ -1234,7 +1251,7 @@ class ScriptJobsView(ContentTypePermissionRequiredMixin, View):
        return 'extras.view_script'

    def get(self, request, module, name):
-        module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module)
+        module = get_script_module(module, request)
        script = module.scripts[name]()

        object_type = ContentType.objects.get(app_label='extras', model='scriptmodule')