Enforce usage of raw definitions

This change ensures that any definitions passed is treated as raw
contents. With this change mistral-dashboard no longer tries to load
contents based on file path or uri passed in by users, and this
prohibits access to any local files or any internal contents accessible
without authentication.

Depends-on: https://review.opendev.org/800950
Closes-Bug: #1931558
Change-Id: I4de45cadc4e174794d0c2ef82223a9da5cbdcabc
This commit is contained in:
Takashi Kajinami 2021-07-15 23:13:21 +09:00
parent 2980dfc44f
commit 8b876b0b22
3 changed files with 13 additions and 2 deletions

View File

@ -42,7 +42,10 @@ def mistralclient(request):
'OPENSTACK_ENDPOINT_TYPE',
'internalURL'
),
service_type=SERVICE_TYPE
service_type=SERVICE_TYPE,
# We should not treat definition as file path or uri otherwise
# we allow access to contents in internal servers
enforce_raw_definition=False
)

View File

@ -0,0 +1,8 @@
---
security:
- |
`Bug #1931558 <https://launchpad.net/bugs/1931558>`_:
Previosuly Mistral Dashboard leaked contents of local files if a user put
in a local file path in definitions. Now Mistral Dashboard no longer treats
inputs as file path or URL but it always use the raw input as resource
definitions.

View File

@ -4,6 +4,6 @@
pbr!=2.1.0,>=2.0.0 # Apache-2.0
iso8601>=0.1.11 # MIT
python-mistralclient!=3.2.0,>=3.1.0 # Apache-2.0
python-mistralclient>=4.3.0 # Apache-2.0
PyYAML>=3.12 # MIT
horizon>=17.1.0 # Apache-2.0