Merge branch 'develop' into feature

2022-08-08 15:39:03 -04:00 · 2022-08-08 15:39:03 -04:00 · 1b88b36820
parent 56433cf855 064d7f3bd0
commit 1b88b36820
14 changed files with 53 additions and 37 deletions
--- a/base_requirements.txt
+++ b/base_requirements.txt
@ -4,7 +4,7 @@ bleach

 # The Python web framework on which NetBox is built
 # https://github.com/django/django
-Django
+Django<4.1

 # Django middleware which permits cross-domain API requests
 # https://github.com/OttoYiu/django-cors-headers
--- a/docs/release-notes/version-3.2.md
+++ b/docs/release-notes/version-3.2.md
@ -1,6 +1,10 @@
 # NetBox v3.2

-## v3.2.8 (FUTURE)
+## v3.2.9 (FUTURE)
+
+---
+
+## v3.2.8 (2022-08-08)

 ### Enhancements

@ -11,13 +15,20 @@
 * [#9881](https://github.com/netbox-community/netbox/issues/9881) - Increase granularity in utilization graph values
 * [#9882](https://github.com/netbox-community/netbox/issues/9882) - Add manufacturer column to modules table
 * [#9883](https://github.com/netbox-community/netbox/issues/9883) - Linkify location column in power panels table
+* [#9906](https://github.com/netbox-community/netbox/issues/9906) - Include `color` attribute in front & rear port YAML import/export

 ### Bug Fixes

+* [#9827](https://github.com/netbox-community/netbox/issues/9827) - Fix assignment of module bay position during bulk creation
 * [#9871](https://github.com/netbox-community/netbox/issues/9871) - Fix utilization graph value alignments
 * [#9884](https://github.com/netbox-community/netbox/issues/9884) - Prevent querying assigned VRF on prefix object init
 * [#9885](https://github.com/netbox-community/netbox/issues/9885) - Fix child prefix counts when editing/deleting aggregates in bulk
 * [#9891](https://github.com/netbox-community/netbox/issues/9891) - Ensure consistent ordering for tags during object serialization
+* [#9919](https://github.com/netbox-community/netbox/issues/9919) - Fix potential XSS avenue via linked objects in tables
+* [#9948](https://github.com/netbox-community/netbox/issues/9948) - Fix TypeError exception when requesting API tokens list as non-authenticated user
+* [#9949](https://github.com/netbox-community/netbox/issues/9949) - Fix KeyError exception resulting from invalid API token provisioning request
+* [#9950](https://github.com/netbox-community/netbox/issues/9950) - Prevent redirection to arbitrary URLs via `next` parameter on login URL
+* [#9952](https://github.com/netbox-community/netbox/issues/9952) - Prevent InvalidMove when attempting to assign a nested child object as parent

 ---

--- a/netbox/dcim/forms/object_import.py
+++ b/netbox/dcim/forms/object_import.py
@ -156,7 +156,7 @@ class FrontPortTemplateImportForm(ComponentTemplateImportForm):
    class Meta:
        model = FrontPortTemplate
        fields = [
-            'device_type', 'module_type', 'name', 'type', 'rear_port', 'rear_port_position', 'label', 'description',
+            'device_type', 'module_type', 'name', 'type', 'color', 'rear_port', 'rear_port_position', 'label', 'description',
        ]


@ -168,7 +168,7 @@ class RearPortTemplateImportForm(ComponentTemplateImportForm):
    class Meta:
        model = RearPortTemplate
        fields = [
-            'device_type', 'module_type', 'name', 'type', 'positions', 'label', 'description',
+            'device_type', 'module_type', 'name', 'type', 'color', 'positions', 'label', 'description',
        ]


--- a/netbox/dcim/models/device_component_templates.py
+++ b/netbox/dcim/models/device_component_templates.py
@ -478,6 +478,7 @@ class FrontPortTemplate(ModularComponentTemplateModel):
        return {
            'name': self.name,
            'type': self.type,
+            'color': self.color,
            'rear_port': self.rear_port.name,
            'rear_port_position': self.rear_port_position,
            'label': self.label,
@ -527,6 +528,7 @@ class RearPortTemplate(ModularComponentTemplateModel):
        return {
            'name': self.name,
            'type': self.type,
+            'color': self.color,
            'positions': self.positions,
            'label': self.label,
            'description': self.description,
--- a/netbox/dcim/views.py
+++ b/netbox/dcim/views.py
@ -2721,6 +2721,7 @@ class DeviceBulkAddModuleBayView(generic.BulkComponentCreateView):
    filterset = filtersets.DeviceFilterSet
    table = tables.DeviceTable
    default_return_url = 'dcim:device_list'
+    patterned_fields = ('name', 'label', 'position')


 class DeviceBulkAddDeviceBayView(generic.BulkComponentCreateView):
@ -3066,7 +3067,7 @@ class VirtualChassisAddMemberView(ObjectPermissionRequiredMixin, GetReturnURLMix
            if membership_form.is_valid():

                membership_form.save()
-                msg = 'Added member <a href="{}">{}</a>'.format(device.get_absolute_url(), escape(device))
+                msg = f'Added member <a href="{device.get_absolute_url()}">{escape(device)}</a>'
                messages.success(request, mark_safe(msg))

                if '_addanother' in request.POST:
@ -3111,8 +3112,7 @@ class VirtualChassisRemoveMemberView(ObjectPermissionRequiredMixin, GetReturnURL
        # Protect master device from being removed
        virtual_chassis = VirtualChassis.objects.filter(master=device).first()
        if virtual_chassis is not None:
-            msg = 'Unable to remove master device {} from the virtual chassis.'.format(escape(device))
-            messages.error(request, mark_safe(msg))
+            messages.error(request, f'Unable to remove master device {device} from the virtual chassis.')
            return redirect(device.get_absolute_url())

        if form.is_valid():
--- a/netbox/netbox/models/init.py
+++ b/netbox/netbox/models/init.py
@ -109,9 +109,9 @@ class NestedGroupModel(NetBoxFeatureSet, MPTTModel):
        super().clean()

        # An MPTT model cannot be its own parent
-        if self.pk and self.parent_id == self.pk:
+        if self.pk and self.parent and self.parent in self.get_descendants(include_self=True):
            raise ValidationError({
-                "parent": "Cannot assign self as parent."
+                "parent": f"Cannot assign self or child {self._meta.verbose_name} as parent."
            })


--- a/netbox/netbox/tables/columns.py
+++ b/netbox/netbox/tables/columns.py
@ -7,6 +7,7 @@ from django.contrib.auth.models import AnonymousUser
 from django.db.models import DateField, DateTimeField
 from django.template import Context, Template
 from django.urls import reverse
+from django.utils.html import escape
 from django.utils.formats import date_format
 from django.utils.safestring import mark_safe
 from django_tables2.columns import library
@ -428,8 +429,8 @@ class CustomFieldColumn(tables.Column):
    @staticmethod
    def _likify_item(item):
        if hasattr(item, 'get_absolute_url'):
-            return f'<a href="{item.get_absolute_url()}">{item}</a>'
-        return item
+            return f'<a href="{item.get_absolute_url()}">{escape(item)}</a>'
+        return escape(item)

    def render(self, value):
        if self.customfield.type == CustomFieldTypeChoices.TYPE_BOOLEAN and value is True:
@ -437,13 +438,13 @@ class CustomFieldColumn(tables.Column):
        if self.customfield.type == CustomFieldTypeChoices.TYPE_BOOLEAN and value is False:
            return mark_safe('<i class="mdi mdi-close-thick text-danger"></i>')
        if self.customfield.type == CustomFieldTypeChoices.TYPE_URL:
-            return mark_safe(f'<a href="{value}">{value}</a>')
+            return mark_safe(f'<a href="{escape(value)}">{escape(value)}</a>')
        if self.customfield.type == CustomFieldTypeChoices.TYPE_MULTISELECT:
            return ', '.join(v for v in value)
        if self.customfield.type == CustomFieldTypeChoices.TYPE_MULTIOBJECT:
-            return mark_safe(', '.join([
+            return mark_safe(', '.join(
                self._likify_item(obj) for obj in self.customfield.deserialize(value)
-            ]))
+            ))
        if value is not None:
            obj = self.customfield.deserialize(value)
            return mark_safe(self._likify_item(obj))
--- a/netbox/netbox/views/generic/bulk_views.py
+++ b/netbox/netbox/views/generic/bulk_views.py
@ -770,6 +770,7 @@ class BulkComponentCreateView(GetReturnURLMixin, BaseMultiObjectView):
    model_form = None
    filterset = None
    table = None
+    patterned_fields = ('name', 'label')

    def get_required_permission(self):
        return f'dcim.add_{self.queryset.model._meta.model_name}'
@ -805,16 +806,16 @@ class BulkComponentCreateView(GetReturnURLMixin, BaseMultiObjectView):

                        for obj in data['pk']:

-                            names = data['name_pattern']
-                            labels = data['label_pattern'] if 'label_pattern' in data else None
-                            for i, name in enumerate(names):
-                                label = labels[i] if labels else None
-
+                            pattern_count = len(data[f'{self.patterned_fields[0]}_pattern'])
+                            for i in range(pattern_count):
                                component_data = {
-                                    self.parent_field: obj.pk,
-                                    'name': name,
-                                    'label': label
+                                    self.parent_field: obj.pk
                                }
+
+                                for field_name in self.patterned_fields:
+                                    if data.get(f'{field_name}_pattern'):
+                                        component_data[field_name] = data[f'{field_name}_pattern'][i]
+
                                component_data.update(data)
                                component_form = self.model_form(component_data)
                                if component_form.is_valid():
--- a/netbox/netbox/views/generic/object_views.py
+++ b/netbox/netbox/views/generic/object_views.py
@ -389,10 +389,10 @@ class ObjectEditView(GetReturnURLMixin, BaseObjectView):
                )
                logger.info(f"{msg} {obj} (PK: {obj.pk})")
                if hasattr(obj, 'get_absolute_url'):
-                    msg = '{} <a href="{}">{}</a>'.format(msg, obj.get_absolute_url(), escape(obj))
+                    msg = mark_safe(f'{msg} <a href="{obj.get_absolute_url()}">{escape(obj)}</a>')
                else:
-                    msg = '{} {}'.format(msg, escape(obj))
-                messages.success(request, mark_safe(msg))
+                    msg = f'{msg} {obj}'
+                messages.success(request, msg)

                if '_addanother' in request.POST:
                    redirect_url = request.path
--- a/netbox/users/api/views.py
+++ b/netbox/users/api/views.py
@ -58,6 +58,8 @@ class TokenViewSet(NetBoxModelViewSet):
        # Workaround for schema generation (drf_yasg)
        if getattr(self, 'swagger_fake_view', False):
            return queryset.none()
+        if not self.request.user.is_authenticated:
+            return queryset.none()
        if self.request.user.is_superuser:
            return queryset
        return queryset.filter(user=self.request.user)
@ -74,11 +76,11 @@ class TokenProvisionView(APIView):
        serializer.is_valid()

        # Authenticate the user account based on the provided credentials
-        user = authenticate(
-            request=request,
-            username=serializer.data['username'],
-            password=serializer.data['password']
-        )
+        username = serializer.data.get('username')
+        password = serializer.data.get('password')
+        if not username or not password:
+            raise AuthenticationFailed("Username and password must be provided to provision a token.")
+        user = authenticate(request=request, username=username, password=password)
        if user is None:
            raise AuthenticationFailed("Invalid username/password")

--- a/netbox/users/views.py
+++ b/netbox/users/views.py
@ -10,6 +10,7 @@ from django.http import HttpResponseRedirect
 from django.shortcuts import get_object_or_404, redirect, render
 from django.urls import reverse
 from django.utils.decorators import method_decorator
+from django.utils.http import url_has_allowed_host_and_scheme
 from django.views.decorators.debug import sensitive_post_parameters
 from django.views.generic import View
 from social_core.backends.utils import load_backends
@ -92,7 +93,7 @@ class LoginView(View):
        data = request.POST if request.method == "POST" else request.GET
        redirect_url = data.get('next', settings.LOGIN_REDIRECT_URL)

-        if redirect_url and redirect_url.startswith('/'):
+        if redirect_url and url_has_allowed_host_and_scheme(redirect_url, allowed_hosts=None):
            logger.debug(f"Redirecting user to {redirect_url}")
        else:
            if redirect_url:
--- a/netbox/utilities/templatetags/builtins/filters.py
+++ b/netbox/utilities/templatetags/builtins/filters.py
@ -86,8 +86,8 @@ def placeholder(value):
    """
    if value not in ('', None):
        return value
-    placeholder = '<span class="text-muted">&mdash;</span>'
-    return mark_safe(placeholder)
+
+    return mark_safe('<span class="text-muted">&mdash;</span>')


@register.filter()
--- a/netbox/utilities/templatetags/helpers.py
+++ b/netbox/utilities/templatetags/helpers.py
@ -109,9 +109,7 @@ def annotated_date(date_value):
        long_ts = date(date_value, 'DATETIME_FORMAT')
        short_ts = date(date_value, 'SHORT_DATETIME_FORMAT')

-    span = f'<span title="{long_ts}">{short_ts}</span>'
-
-    return mark_safe(span)
+    return mark_safe(f'<span title="{long_ts}">{short_ts}</span>')


@register.simple_tag
--- a/requirements.txt
+++ b/requirements.txt
@ -26,7 +26,7 @@ netaddr==0.8.0
 Pillow==9.2.0
 psycopg2-binary==2.9.3
 PyYAML==6.0
-sentry-sdk==1.9.0
+sentry-sdk==1.9.2
 social-auth-app-django==5.0.0
 social-auth-core==4.3.0
 svgwrite==1.4.3