x
/
group-based-policy-ui
Code Issues Proposed changes

Prevents cross-site-scripting in policy panels 

Change-Id: I3184b614d81ed67acc4aa1bfea9697a0acc2205f
Closes-bug: 1483372
This commit is contained in:
Sumit Naiksatam 2015-08-11 19:55:45 -07:00
parent 6e6c53300f
commit 5e8f3da385
6 changed files with 106 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
gbpui/panels/application_policy/forms.py
View File

@ -13,6 +13,7 @@
from django.core.urlresolvers import reverse
from django import http
from django.template.defaultfilters import filesizeformat # noqa
from django.utils import html
from django.utils.translation import ugettext_lazy as _
from django.views.decorators.debug import sensitive_variables # noqa
@ -79,6 +80,10 @@ class UpdatePolicyRuleSetForm(BaseUpdateForm):
def handle(self, request, context):
try:
policy_rule_set_id = self.initial['policy_rule_set_id']
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.policy_rule_set_update(request,
policy_rule_set_id,
**context
@ -133,6 +138,10 @@ class AddPolicyActionForm(forms.SelfHandlingForm):
try:
if not context['action_value']:
del context['action_value']
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
action = client.policyaction_create(request, **context)
messages.success(request, _('Policy Action successfully created.'))
return action
@ -163,6 +172,10 @@ class UpdatePolicyActionForm(BaseUpdateForm):
url = reverse('horizon:project:application_policy:index')
try:
policyaction_id = self.initial['policyaction_id']
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.policyaction_update(request, policyaction_id, **context)
messages.success(request, _('Policy Action successfully updated.'))
return http.HttpResponseRedirect(url)
@ -203,6 +216,8 @@ class AddPolicyClassifierForm(forms.SelfHandlingForm):
try:
if not context.get('port_range'):
context['port_range'] = None
if context.get('name'):
context['name'] = html.escape(context['name'])
classifier = client.policyclassifier_create(request, **context)
messages.success(
request, _('Policy Classifier successfully created.'))
@ -242,6 +257,10 @@ class UpdatePolicyClassifierForm(BaseUpdateForm):
policyclassifier_id = self.initial['policyclassifier_id']
if not context.get('port_range'):
context['port_range'] = None
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.policyclassifier_update(self.request,
policyclassifier_id, **context)
messages.success(
@ -286,6 +305,10 @@ class UpdatePolicyRuleForm(BaseUpdateForm):
url = reverse('horizon:project:application_policy:index')
try:
prid = self.initial['policyrule_id']
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.policyrule_update(request, prid, **context)
messages.success(request, _('Policy rule successfully updated.'))
return http.HttpResponseRedirect(url)

21
gbpui/panels/application_policy/workflows.py
View File

@ -11,6 +11,7 @@
# under the License.
from django.core.urlresolvers import reverse
from django.utils import html
from django.utils.translation import ugettext_lazy as _
from horizon import exceptions
@ -111,6 +112,10 @@ class AddContract(workflows.Workflow):
def _create_policy_rule_set(self, request, context):
try:
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
return client.policy_rule_set_create(request, **context)
except Exception as e:
msg = self.format_status_message(self.failure_message) + str(e)
@ -118,6 +123,10 @@ class AddContract(workflows.Workflow):
return False
def handle(self, request, context):
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
policy_rule_set = self._create_policy_rule_set(request, context)
self.object = policy_rule_set
return policy_rule_set
@ -251,6 +260,10 @@ class AddPolicyRule(workflows.Workflow):
def handle(self, request, context):
try:
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
rule = client.policyrule_create(request, **context)
self.object = rule
return rule
@ -311,6 +324,10 @@ class AddPolicyClassifier(workflows.Workflow):
def _create_classifer(self, request, context):
try:
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.policyclassifier_create(request, **context)
return True
except Exception as e:
@ -319,6 +336,10 @@ class AddPolicyClassifier(workflows.Workflow):
return False
def handle(self, request, context):
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
classifier = self._create_classifer(request, context)
if not classifier:
return False

29
gbpui/panels/network_policy/forms.py
View File

@ -15,6 +15,7 @@ import logging
from django.core.urlresolvers import reverse
from django import http
from django import shortcuts
from django.utils import html
from django.utils.translation import ugettext_lazy as _
from horizon import exceptions
@ -80,6 +81,10 @@ class AddL3PolicyForm(forms.SelfHandlingForm):
def handle(self, request, context):
url = reverse("horizon:project:network_policy:index")
try:
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.l3policy_create(request, **context)
msg = _("L3 Policy Created Successfully!")
LOG.debug(msg)
@ -122,6 +127,10 @@ class UpdateL3PolicyForm(AddL3PolicyForm):
url = reverse("horizon:project:network_policy:index")
try:
l3policy_id = self.initial['l3policy_id']
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.l3policy_update(request, l3policy_id, **context)
msg = _("L3 Policy Updated Successfully!")
LOG.debug(msg)
@ -155,6 +164,10 @@ class AddL2PolicyForm(forms.SelfHandlingForm):
url = reverse("horizon:project:network_policy:index")
try:
del context['allow_broadcast']
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.l2policy_create(request, **context)
msg = _("L2 Policy Created Successfully!")
LOG.debug(msg)
@ -195,6 +208,10 @@ class UpdateL2PolicyForm(forms.SelfHandlingForm):
l2policy_id = self.initial['l2policy_id']
try:
del context['allow_broadcast']
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.l2policy_update(request, l2policy_id, **context)
msg = _("L2 Policy Updated Successfully!")
LOG.debug(msg)
@ -228,6 +245,10 @@ class CreateServicePolicyForm(forms.SelfHandlingForm):
'value': values[2]}
p.append(values)
context['network_service_params'] = p
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.create_networkservice_policy(request, **context)
msg = _("Service policy created successfully!")
LOG.debug(msg)
@ -242,8 +263,8 @@ class NetworkServiceParam(object):
def __init__(self, context):
self.ptype = context['param_type']
self.pname = context['param_name']
self.pvalue = context['param_value']
self.pname = html.escape(context['param_name'])
self.pvalue = html.escape(context['param_value'])
self.name = "Type:%s,Name:%s,Value:%s" % (
self.ptype, self.pname, self.pvalue)
self.id = self.name
@ -288,6 +309,10 @@ class UpdateServicePolicyForm(BaseUpdateForm):
url = reverse("horizon:project:network_policy:index")
try:
policy_id = self.initial['service_policy_id']
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.update_networkservice_policy(
request, policy_id, **context)
msg = _("Service policy updatedsuccessfully!")

25
gbpui/panels/network_services/forms.py
View File

@ -14,6 +14,7 @@ import json
import logging
from django.core.urlresolvers import reverse
from django.utils import html
from django.utils.translation import ugettext_lazy as _
from django import http
@ -105,6 +106,10 @@ class CreateServiceChainNodeForm(forms.SelfHandlingForm):
except KeyError:
pass
context['config'] = json.dumps(context['config'])
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.create_servicechain_node(request, **context)
msg = _("Service Chain Node Created Successfully!")
LOG.debug(msg)
@ -137,6 +142,10 @@ class UpdateServiceChainNodeForm(BaseUpdateForm):
url = reverse("horizon:project:network_services:index")
try:
scnode_id = self.initial['scnode_id']
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.update_servicechain_node(
request, scnode_id, **context)
msg = _("Service Chain Node Updated Successfully!")
@ -183,6 +192,10 @@ class CreateServiceChainSpecForm(forms.SelfHandlingForm):
def handle(self, request, context):
url = reverse("horizon:project:network_services:index")
try:
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.create_servicechain_spec(request, **context)
msg = _("Service Chain Spec Created Successfully!")
LOG.debug(msg)
@ -219,6 +232,10 @@ class UpdateServiceChainSpecForm(CreateServiceChainSpecForm, BaseUpdateForm):
url = reverse("horizon:project:network_services:index")
try:
scspec_id = self.initial['scspec_id']
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.update_servicechain_spec(request, scspec_id, **context)
msg = _("Service Chain Spec Updated Successfully!")
LOG.debug(msg)
@ -260,6 +277,10 @@ class CreateServiceChainInstanceForm(forms.SelfHandlingForm):
def handle(self, request, context):
url = reverse("horizon:project:network_services:index")
try:
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.create_servicechain_instance(request, **context)
msg = _("Service Chain Instance Created Successfully!")
LOG.debug(msg)
@ -295,6 +316,10 @@ class UpdateServiceChainInstanceForm(forms.SelfHandlingForm):
url = reverse("horizon:project:network_services:index")
try:
scinstance_id = self.initial['scinstance_id']
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.update_servicechain_instance(
request, scinstance_id, **context)
msg = _("Service Chain Instance Created Successfully!")

5
gbpui/panels/policytargets/forms.py
View File

@ -14,6 +14,7 @@ import logging
from django.core.urlresolvers import reverse
from django import http
from django.utils import html
from django.utils.translation import ugettext_lazy as _
from horizon import exceptions
@ -112,6 +113,10 @@ class UpdatePolicyTargetForm(forms.SelfHandlingForm):
context['consumed_policy_rule_sets'] = None
if context['network_service_policy_id'] == 'None':
context['network_service_policy_id'] = None
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
policy_target = client.policy_target_update(
request, policy_target_id, **context)
msg = _('Group %s was successfully updated.') % name_or_id

5
gbpui/panels/policytargets/workflows.py
View File

@ -13,6 +13,7 @@
import logging
from django.core.urlresolvers import reverse
from django.utils import html
from django.utils.text import normalize_newlines # noqa
from django.utils.translation import ugettext_lazy as _
from django.views.decorators.debug import sensitive_variables # noqa
@ -213,6 +214,10 @@ class AddPTG(workflows.Workflow):
def handle(self, request, context):
try:
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
group = client.policy_target_create(request, **context)
return group
except Exception as e: