Enforce usage of raw definitions

This change ensures that any definitions passed is treated as raw
contents. With this change mistral-dashboard no longer tries to load
contents based on file path or uri passed in by users, and this
prohibits access to any local files or any internal contents accessible
without authentication.

Depends-on: https://review.opendev.org/800950
Closes-Bug: #1931558
Change-Id: I4de45cadc4e174794d0c2ef82223a9da5cbdcabc

mistraldashboard/api.py

@@ -42,7 +42,10 @@ def mistralclient(request):
             'OPENSTACK_ENDPOINT_TYPE',
             'internalURL'
         ),
-        service_type=SERVICE_TYPE
+        service_type=SERVICE_TYPE,
+        # We should not treat definition as file path or uri otherwise
+        # we allow access to contents in internal servers
+        enforce_raw_definition=False
     )
 
 

releasenotes/notes/bug-1931558-4674cdde721dfab8.yaml

@@ -0,0 +1,8 @@
+---
+security:
+  - |
+    `Bug #1931558 <https://launchpad.net/bugs/1931558>`_:
+    Previosuly Mistral Dashboard leaked contents of local files if a user put
+    in a local file path in definitions. Now Mistral Dashboard no longer treats
+    inputs as file path or URL but it always use the raw input as resource
+    definitions.

requirements.txt

@@ -4,6 +4,6 @@
 
 pbr!=2.1.0,>=2.0.0 # Apache-2.0
 iso8601>=0.1.11 # MIT
-python-mistralclient!=3.2.0,>=3.1.0 # Apache-2.0
+python-mistralclient>=4.3.0 # Apache-2.0
 PyYAML>=3.12 # MIT
 horizon>=17.1.0  # Apache-2.0