Enforce usage of raw definitions
This change ensures that any definitions passed is treated as raw contents. With this change mistral-dashboard no longer tries to load contents based on file path or uri passed in by users, and this prohibits access to any local files or any internal contents accessible without authentication. Depends-on: https://review.opendev.org/800950 Closes-Bug: #1931558 Change-Id: I4de45cadc4e174794d0c2ef82223a9da5cbdcabc
This commit is contained in:
parent
2980dfc44f
commit
8b876b0b22
@ -42,7 +42,10 @@ def mistralclient(request):
|
|||||||
'OPENSTACK_ENDPOINT_TYPE',
|
'OPENSTACK_ENDPOINT_TYPE',
|
||||||
'internalURL'
|
'internalURL'
|
||||||
),
|
),
|
||||||
service_type=SERVICE_TYPE
|
service_type=SERVICE_TYPE,
|
||||||
|
# We should not treat definition as file path or uri otherwise
|
||||||
|
# we allow access to contents in internal servers
|
||||||
|
enforce_raw_definition=False
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
8
releasenotes/notes/bug-1931558-4674cdde721dfab8.yaml
Normal file
8
releasenotes/notes/bug-1931558-4674cdde721dfab8.yaml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
`Bug #1931558 <https://launchpad.net/bugs/1931558>`_:
|
||||||
|
Previosuly Mistral Dashboard leaked contents of local files if a user put
|
||||||
|
in a local file path in definitions. Now Mistral Dashboard no longer treats
|
||||||
|
inputs as file path or URL but it always use the raw input as resource
|
||||||
|
definitions.
|
@ -4,6 +4,6 @@
|
|||||||
|
|
||||||
pbr!=2.1.0,>=2.0.0 # Apache-2.0
|
pbr!=2.1.0,>=2.0.0 # Apache-2.0
|
||||||
iso8601>=0.1.11 # MIT
|
iso8601>=0.1.11 # MIT
|
||||||
python-mistralclient!=3.2.0,>=3.1.0 # Apache-2.0
|
python-mistralclient>=4.3.0 # Apache-2.0
|
||||||
PyYAML>=3.12 # MIT
|
PyYAML>=3.12 # MIT
|
||||||
horizon>=17.1.0 # Apache-2.0
|
horizon>=17.1.0 # Apache-2.0
|
||||||
|
Loading…
Reference in New Issue
Block a user