Enforce usage of raw definitions

This change ensures that any definitions passed is treated as raw
contents. With this change mistral-dashboard no longer tries to load
contents based on file path or uri passed in by users, and this
prohibits access to any local files or any internal contents accessible
without authentication.

Depends-on: https://review.opendev.org/800950
Closes-Bug: #1931558
Change-Id: I4de45cadc4e174794d0c2ef82223a9da5cbdcabc
changes/52/800952/4
Takashi Kajinami 2 years ago
parent 2980dfc44f
commit 8b876b0b22

@ -42,7 +42,10 @@ def mistralclient(request):
'OPENSTACK_ENDPOINT_TYPE',
'internalURL'
),
service_type=SERVICE_TYPE
service_type=SERVICE_TYPE,
# We should not treat definition as file path or uri otherwise
# we allow access to contents in internal servers
enforce_raw_definition=False
)

@ -0,0 +1,8 @@
---
security:
- |
`Bug #1931558 <https://launchpad.net/bugs/1931558>`_:
Previosuly Mistral Dashboard leaked contents of local files if a user put
in a local file path in definitions. Now Mistral Dashboard no longer treats
inputs as file path or URL but it always use the raw input as resource
definitions.

@ -4,6 +4,6 @@
pbr!=2.1.0,>=2.0.0 # Apache-2.0
iso8601>=0.1.11 # MIT
python-mistralclient!=3.2.0,>=3.1.0 # Apache-2.0
python-mistralclient>=4.3.0 # Apache-2.0
PyYAML>=3.12 # MIT
horizon>=17.1.0 # Apache-2.0

Loading…
Cancel
Save