Skip to content

Commit 7983c25

Browse files
arthansonarthanson
authored
14025 fix script name checking (#14030)
* 14025 fix script name checking * 14025 fix script name checking * 14025 add file extension validation and simplify get logic * 14025 match start of string with regex * 14025 backout changes to model_forms * 14025 add filepatch checking to reports
1 parent d77d45e commit 7983c25

File tree

1 file changed

+16
-8
lines changed

1 file changed

+16
-8
lines changed

netbox/extras/views.py

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -978,6 +978,10 @@ def get(self, request):
978978
})
979979

980980

981+
def get_report_module(module, request):
982+
return get_object_or_404(ReportModule.objects.restrict(request.user), file_path__regex=f"^{module}\\.")
983+
984+
981985
class ReportView(ContentTypePermissionRequiredMixin, View):
982986
"""
983987
Display a single Report and its associated Job (if any).
@@ -986,7 +990,7 @@ def get_required_permission(self):
986990
return 'extras.view_report'
987991

988992
def get(self, request, module, name):
989-
module = get_object_or_404(ReportModule.objects.restrict(request.user), file_path__startswith=module)
993+
module = get_report_module(module, request)
990994
report = module.reports[name]()
991995

992996
object_type = ContentType.objects.get(app_label='extras', model='reportmodule')
@@ -1007,7 +1011,7 @@ def post(self, request, module, name):
10071011
if not request.user.has_perm('extras.run_report'):
10081012
return HttpResponseForbidden()
10091013

1010-
module = get_object_or_404(ReportModule.objects.restrict(request.user), file_path__startswith=module)
1014+
module = get_report_module(module, request)
10111015
report = module.reports[name]()
10121016
form = ReportForm(request.POST, scheduling_enabled=report.scheduling_enabled)
10131017

@@ -1046,7 +1050,7 @@ def get_required_permission(self):
10461050
return 'extras.view_report'
10471051

10481052
def get(self, request, module, name):
1049-
module = get_object_or_404(ReportModule.objects.restrict(request.user), file_path__startswith=module)
1053+
module = get_report_module(module, request)
10501054
report = module.reports[name]()
10511055

10521056
return render(request, 'extras/report/source.html', {
@@ -1062,7 +1066,7 @@ def get_required_permission(self):
10621066
return 'extras.view_report'
10631067

10641068
def get(self, request, module, name):
1065-
module = get_object_or_404(ReportModule.objects.restrict(request.user), file_path__startswith=module)
1069+
module = get_report_module(module, request)
10661070
report = module.reports[name]()
10671071

10681072
object_type = ContentType.objects.get(app_label='extras', model='reportmodule')
@@ -1151,13 +1155,17 @@ def get(self, request):
11511155
})
11521156

11531157

1158+
def get_script_module(module, request):
1159+
return get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__regex=f"^{module}\\.")
1160+
1161+
11541162
class ScriptView(ContentTypePermissionRequiredMixin, View):
11551163

11561164
def get_required_permission(self):
11571165
return 'extras.view_script'
11581166

11591167
def get(self, request, module, name):
1160-
module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module)
1168+
module = get_script_module(module, request)
11611169
script = module.scripts[name]()
11621170
form = script.as_form(initial=normalize_querydict(request.GET))
11631171

@@ -1181,7 +1189,7 @@ def post(self, request, module, name):
11811189
if not request.user.has_perm('extras.run_script'):
11821190
return HttpResponseForbidden()
11831191

1184-
module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module)
1192+
module = get_script_module(module, request)
11851193
script = module.scripts[name]()
11861194
form = script.as_form(request.POST, request.FILES)
11871195

@@ -1218,7 +1226,7 @@ def get_required_permission(self):
12181226
return 'extras.view_script'
12191227

12201228
def get(self, request, module, name):
1221-
module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module)
1229+
module = get_script_module(module, request)
12221230
script = module.scripts[name]()
12231231

12241232
return render(request, 'extras/script/source.html', {
@@ -1234,7 +1242,7 @@ def get_required_permission(self):
12341242
return 'extras.view_script'
12351243

12361244
def get(self, request, module, name):
1237-
module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module)
1245+
module = get_script_module(module, request)
12381246
script = module.scripts[name]()
12391247

12401248
object_type = ContentType.objects.get(app_label='extras', model='scriptmodule')

0 commit comments

Comments
 (0)