From 8b876b0b22b365f24af1eb9eae01ad3d22cc1533 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Thu, 15 Jul 2021 23:13:21 +0900
Subject: [PATCH] Enforce usage of raw definitions

This change ensures that any definitions passed is treated as raw
contents. With this change mistral-dashboard no longer tries to load
contents based on file path or uri passed in by users, and this
prohibits access to any local files or any internal contents accessible
without authentication.

Depends-on: https://review.opendev.org/800950
Closes-Bug: #1931558
Change-Id: I4de45cadc4e174794d0c2ef82223a9da5cbdcabc
---
 mistraldashboard/api.py                              | 5 ++++-
 releasenotes/notes/bug-1931558-4674cdde721dfab8.yaml | 8 ++++++++
 requirements.txt                                     | 2 +-
 3 files changed, 13 insertions(+), 2 deletions(-)
 create mode 100644 releasenotes/notes/bug-1931558-4674cdde721dfab8.yaml

diff --git a/mistraldashboard/api.py b/mistraldashboard/api.py
index 01125ce..f280538 100644
--- a/mistraldashboard/api.py
+++ b/mistraldashboard/api.py
@@ -42,7 +42,10 @@ def mistralclient(request):
             'OPENSTACK_ENDPOINT_TYPE',
             'internalURL'
         ),
-        service_type=SERVICE_TYPE
+        service_type=SERVICE_TYPE,
+        # We should not treat definition as file path or uri otherwise
+        # we allow access to contents in internal servers
+        enforce_raw_definition=False
     )
 
 
diff --git a/releasenotes/notes/bug-1931558-4674cdde721dfab8.yaml b/releasenotes/notes/bug-1931558-4674cdde721dfab8.yaml
new file mode 100644
index 0000000..303d331
--- /dev/null
+++ b/releasenotes/notes/bug-1931558-4674cdde721dfab8.yaml
@@ -0,0 +1,8 @@
+---
+security:
+  - |
+    `Bug #1931558 <https://launchpad.net/bugs/1931558>`_:
+    Previosuly Mistral Dashboard leaked contents of local files if a user put
+    in a local file path in definitions. Now Mistral Dashboard no longer treats
+    inputs as file path or URL but it always use the raw input as resource
+    definitions.
diff --git a/requirements.txt b/requirements.txt
index e831d1f..b9cb2b1 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,6 +4,6 @@
 
 pbr!=2.1.0,>=2.0.0 # Apache-2.0
 iso8601>=0.1.11 # MIT
-python-mistralclient!=3.2.0,>=3.1.0 # Apache-2.0
+python-mistralclient>=4.3.0 # Apache-2.0
 PyYAML>=3.12 # MIT
 horizon>=17.1.0  # Apache-2.0