Merge "Enforce usage of raw definitions"

This commit is contained in:
Zuul 2022-08-12 10:02:14 +00:00 committed by Gerrit Code Review
commit a08b56b760
3 changed files with 13 additions and 2 deletions

View File

@ -42,7 +42,10 @@ def mistralclient(request):
'OPENSTACK_ENDPOINT_TYPE', 'OPENSTACK_ENDPOINT_TYPE',
'internalURL' 'internalURL'
), ),
service_type=SERVICE_TYPE service_type=SERVICE_TYPE,
# We should not treat definition as file path or uri otherwise
# we allow access to contents in internal servers
enforce_raw_definition=False
) )

View File

@ -0,0 +1,8 @@
---
security:
- |
`Bug #1931558 <https://launchpad.net/bugs/1931558>`_:
Previosuly Mistral Dashboard leaked contents of local files if a user put
in a local file path in definitions. Now Mistral Dashboard no longer treats
inputs as file path or URL but it always use the raw input as resource
definitions.

View File

@ -4,6 +4,6 @@
pbr!=2.1.0,>=2.0.0 # Apache-2.0 pbr!=2.1.0,>=2.0.0 # Apache-2.0
iso8601>=0.1.11 # MIT iso8601>=0.1.11 # MIT
python-mistralclient!=3.2.0,>=3.1.0 # Apache-2.0 python-mistralclient>=4.3.0 # Apache-2.0
PyYAML>=3.12 # MIT PyYAML>=3.12 # MIT
horizon>=17.1.0 # Apache-2.0 horizon>=17.1.0 # Apache-2.0