Inicio Explorar Axuda
Iniciar sesión
LBP
/
netbox
réplica de https://github.com/netbox-community/netbox.git
2
0
Fork 0
Ficheiros Incidencias 0 Wiki
Explorar o código

14025 fix script name checking (#14030)

* 14025 fix script name checking

* 14025 fix script name checking

* 14025 add file extension validation and simplify get logic

* 14025 match start of string with regex

* 14025 backout changes to model_forms

* 14025 add filepatch checking to reports
Arthur Hanson %!s(int64=2) %!d(string=hai) anos
pai
d77d45e795
achega
7983c2590e
Modificáronse 1 ficheiros con 16 adicións e 8 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 16 8
      netbox/extras/views.py

+ 16 - 8
netbox/extras/views.py
Ver ficheiro 

@@ -978,6 +978,10 @@ class ReportListView(ContentTypePermissionRequiredMixin, View):
 
         })
 
 
 
+def get_report_module(module, request):
 
+    return get_object_or_404(ReportModule.objects.restrict(request.user), file_path__regex=f"^{module}\\.")
 
+
 
+
 
 class ReportView(ContentTypePermissionRequiredMixin, View):
 
     """
 
     Display a single Report and its associated Job (if any).
 
@@ -986,7 +990,7 @@ class ReportView(ContentTypePermissionRequiredMixin, View):
 
         return 'extras.view_report'
 
 
     def get(self, request, module, name):
 
-        module = get_object_or_404(ReportModule.objects.restrict(request.user), file_path__startswith=module)
 
+        module = get_report_module(module, request)
 
         report = module.reports[name]()
 
 
         object_type = ContentType.objects.get(app_label='extras', model='reportmodule')
 
@@ -1007,7 +1011,7 @@ class ReportView(ContentTypePermissionRequiredMixin, View):
 
         if not request.user.has_perm('extras.run_report'):
 
             return HttpResponseForbidden()
 
 
-        module = get_object_or_404(ReportModule.objects.restrict(request.user), file_path__startswith=module)
 
+        module = get_report_module(module, request)
 
         report = module.reports[name]()
 
         form = ReportForm(request.POST, scheduling_enabled=report.scheduling_enabled)
 
 
@@ -1046,7 +1050,7 @@ class ReportSourceView(ContentTypePermissionRequiredMixin, View):
 
         return 'extras.view_report'
 
 
     def get(self, request, module, name):
 
-        module = get_object_or_404(ReportModule.objects.restrict(request.user), file_path__startswith=module)
 
+        module = get_report_module(module, request)
 
         report = module.reports[name]()
 
 
         return render(request, 'extras/report/source.html', {
 
@@ -1062,7 +1066,7 @@ class ReportJobsView(ContentTypePermissionRequiredMixin, View):
 
         return 'extras.view_report'
 
 
     def get(self, request, module, name):
 
-        module = get_object_or_404(ReportModule.objects.restrict(request.user), file_path__startswith=module)
 
+        module = get_report_module(module, request)
 
         report = module.reports[name]()
 
 
         object_type = ContentType.objects.get(app_label='extras', model='reportmodule')
 
@@ -1151,13 +1155,17 @@ class ScriptListView(ContentTypePermissionRequiredMixin, View):
 
         })
 
 
 
+def get_script_module(module, request):
 
+    return get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__regex=f"^{module}\\.")
 
+
 
+
 
 class ScriptView(ContentTypePermissionRequiredMixin, View):
 
 
     def get_required_permission(self):
 
         return 'extras.view_script'
 
 
     def get(self, request, module, name):
 
-        module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module)
 
+        module = get_script_module(module, request)
 
         script = module.scripts[name]()
 
         form = script.as_form(initial=normalize_querydict(request.GET))
 
 
@@ -1181,7 +1189,7 @@ class ScriptView(ContentTypePermissionRequiredMixin, View):
 
         if not request.user.has_perm('extras.run_script'):
 
             return HttpResponseForbidden()
 
 
-        module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module)
 
+        module = get_script_module(module, request)
 
         script = module.scripts[name]()
 
         form = script.as_form(request.POST, request.FILES)
 
 
@@ -1218,7 +1226,7 @@ class ScriptSourceView(ContentTypePermissionRequiredMixin, View):
 
         return 'extras.view_script'
 
 
     def get(self, request, module, name):
 
-        module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module)
 
+        module = get_script_module(module, request)
 
         script = module.scripts[name]()
 
 
         return render(request, 'extras/script/source.html', {
 
@@ -1234,7 +1242,7 @@ class ScriptJobsView(ContentTypePermissionRequiredMixin, View):
 
         return 'extras.view_script'
 
 
     def get(self, request, module, name):
 
-        module = get_object_or_404(ScriptModule.objects.restrict(request.user), file_path__startswith=module)
 
+        module = get_script_module(module, request)
 
         script = module.scripts[name]()
 
 
         object_type = ContentType.objects.get(app_label='extras', model='scriptmodule')