Merge "Enforce usage of raw definitions"

2022-08-12 10:02:14 +00:00 · 2022-08-12 10:02:14 +00:00 · a08b56b760
commit a08b56b760
parent 56951582b5 8b876b0b22
3 changed files with 13 additions and 2 deletions
--- a/mistraldashboard/api.py
+++ b/mistraldashboard/api.py
@ -42,7 +42,10 @@ def mistralclient(request):
            'OPENSTACK_ENDPOINT_TYPE',
            'internalURL'
        ),
-        service_type=SERVICE_TYPE
+        service_type=SERVICE_TYPE,
+        # We should not treat definition as file path or uri otherwise
+        # we allow access to contents in internal servers
+        enforce_raw_definition=False
    )


--- a/releasenotes/notes/bug-1931558-4674cdde721dfab8.yaml
+++ b/releasenotes/notes/bug-1931558-4674cdde721dfab8.yaml
@ -0,0 +1,8 @@
+---
+security:
+  - |
+    `Bug #1931558 <https://launchpad.net/bugs/1931558>`_:
+    Previosuly Mistral Dashboard leaked contents of local files if a user put
+    in a local file path in definitions. Now Mistral Dashboard no longer treats
+    inputs as file path or URL but it always use the raw input as resource
+    definitions.
--- a/requirements.txt
+++ b/requirements.txt
@ -4,6 +4,6 @@

 pbr!=2.1.0,>=2.0.0 # Apache-2.0
 iso8601>=0.1.11 # MIT
-python-mistralclient!=3.2.0,>=3.1.0 # Apache-2.0
+python-mistralclient>=4.3.0 # Apache-2.0
 PyYAML>=3.12 # MIT
 horizon>=17.1.0  # Apache-2.0