x
/
group-based-policy-ui
Code Issues Proposed changes

Prevents cross-site-scripting in policy panels 

Change-Id: I3184b614d81ed67acc4aa1bfea9697a0acc2205f
Closes-bug: 1483372
This commit is contained in:
Sumit Naiksatam 2015-08-11 19:55:45 -07:00
parent 6e6c53300f
commit 5e8f3da385
6 changed files with 106 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
gbpui/panels/application_policy/forms.py
View File

@ -13,6 +13,7 @@
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
from django import http from django import http
from django.template.defaultfilters import filesizeformat # noqa from django.template.defaultfilters import filesizeformat # noqa
from django.utils import html
from django.utils.translation import ugettext_lazy as _ from django.utils.translation import ugettext_lazy as _
from django.views.decorators.debug import sensitive_variables # noqa from django.views.decorators.debug import sensitive_variables # noqa
@ -79,6 +80,10 @@ class UpdatePolicyRuleSetForm(BaseUpdateForm):
def handle(self, request, context): def handle(self, request, context):
try: try:
policy_rule_set_id = self.initial['policy_rule_set_id'] policy_rule_set_id = self.initial['policy_rule_set_id']
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.policy_rule_set_update(request, client.policy_rule_set_update(request,
policy_rule_set_id, policy_rule_set_id,
**context **context
@ -133,6 +138,10 @@ class AddPolicyActionForm(forms.SelfHandlingForm):
try: try:
if not context['action_value']: if not context['action_value']:
del context['action_value'] del context['action_value']
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
action = client.policyaction_create(request, **context) action = client.policyaction_create(request, **context)
messages.success(request, _('Policy Action successfully created.')) messages.success(request, _('Policy Action successfully created.'))
return action return action
@ -163,6 +172,10 @@ class UpdatePolicyActionForm(BaseUpdateForm):
url = reverse('horizon:project:application_policy:index') url = reverse('horizon:project:application_policy:index')
try: try:
policyaction_id = self.initial['policyaction_id'] policyaction_id = self.initial['policyaction_id']
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.policyaction_update(request, policyaction_id, **context) client.policyaction_update(request, policyaction_id, **context)
messages.success(request, _('Policy Action successfully updated.')) messages.success(request, _('Policy Action successfully updated.'))
return http.HttpResponseRedirect(url) return http.HttpResponseRedirect(url)
@ -203,6 +216,8 @@ class AddPolicyClassifierForm(forms.SelfHandlingForm):
try: try:
if not context.get('port_range'): if not context.get('port_range'):
context['port_range'] = None context['port_range'] = None
if context.get('name'):
context['name'] = html.escape(context['name'])
classifier = client.policyclassifier_create(request, **context) classifier = client.policyclassifier_create(request, **context)
messages.success( messages.success(
request, _('Policy Classifier successfully created.')) request, _('Policy Classifier successfully created.'))
@ -242,6 +257,10 @@ class UpdatePolicyClassifierForm(BaseUpdateForm):
policyclassifier_id = self.initial['policyclassifier_id'] policyclassifier_id = self.initial['policyclassifier_id']
if not context.get('port_range'): if not context.get('port_range'):
context['port_range'] = None context['port_range'] = None
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.policyclassifier_update(self.request, client.policyclassifier_update(self.request,
policyclassifier_id, **context) policyclassifier_id, **context)
messages.success( messages.success(
@ -286,6 +305,10 @@ class UpdatePolicyRuleForm(BaseUpdateForm):
url = reverse('horizon:project:application_policy:index') url = reverse('horizon:project:application_policy:index')
try: try:
prid = self.initial['policyrule_id'] prid = self.initial['policyrule_id']
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.policyrule_update(request, prid, **context) client.policyrule_update(request, prid, **context)
messages.success(request, _('Policy rule successfully updated.')) messages.success(request, _('Policy rule successfully updated.'))
return http.HttpResponseRedirect(url) return http.HttpResponseRedirect(url)

21
gbpui/panels/application_policy/workflows.py
View File

@ -11,6 +11,7 @@
# under the License. # under the License.
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
from django.utils import html
from django.utils.translation import ugettext_lazy as _ from django.utils.translation import ugettext_lazy as _
from horizon import exceptions from horizon import exceptions
@ -111,6 +112,10 @@ class AddContract(workflows.Workflow):
def _create_policy_rule_set(self, request, context): def _create_policy_rule_set(self, request, context):
try: try:
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
return client.policy_rule_set_create(request, **context) return client.policy_rule_set_create(request, **context)
except Exception as e: except Exception as e:
msg = self.format_status_message(self.failure_message) + str(e) msg = self.format_status_message(self.failure_message) + str(e)
@ -118,6 +123,10 @@ class AddContract(workflows.Workflow):
return False return False
def handle(self, request, context): def handle(self, request, context):
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
policy_rule_set = self._create_policy_rule_set(request, context) policy_rule_set = self._create_policy_rule_set(request, context)
self.object = policy_rule_set self.object = policy_rule_set
return policy_rule_set return policy_rule_set
@ -251,6 +260,10 @@ class AddPolicyRule(workflows.Workflow):
def handle(self, request, context): def handle(self, request, context):
try: try:
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
rule = client.policyrule_create(request, **context) rule = client.policyrule_create(request, **context)
self.object = rule self.object = rule
return rule return rule
@ -311,6 +324,10 @@ class AddPolicyClassifier(workflows.Workflow):
def _create_classifer(self, request, context): def _create_classifer(self, request, context):
try: try:
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.policyclassifier_create(request, **context) client.policyclassifier_create(request, **context)
return True return True
except Exception as e: except Exception as e:
@ -319,6 +336,10 @@ class AddPolicyClassifier(workflows.Workflow):
return False return False
def handle(self, request, context): def handle(self, request, context):
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
classifier = self._create_classifer(request, context) classifier = self._create_classifer(request, context)
if not classifier: if not classifier:
return False return False

29
gbpui/panels/network_policy/forms.py
View File

@ -15,6 +15,7 @@ import logging
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
from django import http from django import http
from django import shortcuts from django import shortcuts
from django.utils import html
from django.utils.translation import ugettext_lazy as _ from django.utils.translation import ugettext_lazy as _
from horizon import exceptions from horizon import exceptions
@ -80,6 +81,10 @@ class AddL3PolicyForm(forms.SelfHandlingForm):
def handle(self, request, context): def handle(self, request, context):
url = reverse("horizon:project:network_policy:index") url = reverse("horizon:project:network_policy:index")
try: try:
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.l3policy_create(request, **context) client.l3policy_create(request, **context)
msg = _("L3 Policy Created Successfully!") msg = _("L3 Policy Created Successfully!")
LOG.debug(msg) LOG.debug(msg)
@ -122,6 +127,10 @@ class UpdateL3PolicyForm(AddL3PolicyForm):
url = reverse("horizon:project:network_policy:index") url = reverse("horizon:project:network_policy:index")
try: try:
l3policy_id = self.initial['l3policy_id'] l3policy_id = self.initial['l3policy_id']
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.l3policy_update(request, l3policy_id, **context) client.l3policy_update(request, l3policy_id, **context)
msg = _("L3 Policy Updated Successfully!") msg = _("L3 Policy Updated Successfully!")
LOG.debug(msg) LOG.debug(msg)
@ -155,6 +164,10 @@ class AddL2PolicyForm(forms.SelfHandlingForm):
url = reverse("horizon:project:network_policy:index") url = reverse("horizon:project:network_policy:index")
try: try:
del context['allow_broadcast'] del context['allow_broadcast']
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.l2policy_create(request, **context) client.l2policy_create(request, **context)
msg = _("L2 Policy Created Successfully!") msg = _("L2 Policy Created Successfully!")
LOG.debug(msg) LOG.debug(msg)
@ -195,6 +208,10 @@ class UpdateL2PolicyForm(forms.SelfHandlingForm):
l2policy_id = self.initial['l2policy_id'] l2policy_id = self.initial['l2policy_id']
try: try:
del context['allow_broadcast'] del context['allow_broadcast']
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.l2policy_update(request, l2policy_id, **context) client.l2policy_update(request, l2policy_id, **context)
msg = _("L2 Policy Updated Successfully!") msg = _("L2 Policy Updated Successfully!")
LOG.debug(msg) LOG.debug(msg)
@ -228,6 +245,10 @@ class CreateServicePolicyForm(forms.SelfHandlingForm):
'value': values[2]} 'value': values[2]}
p.append(values) p.append(values)
context['network_service_params'] = p context['network_service_params'] = p
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.create_networkservice_policy(request, **context) client.create_networkservice_policy(request, **context)
msg = _("Service policy created successfully!") msg = _("Service policy created successfully!")
LOG.debug(msg) LOG.debug(msg)
@ -242,8 +263,8 @@ class NetworkServiceParam(object):
def __init__(self, context): def __init__(self, context):
self.ptype = context['param_type'] self.ptype = context['param_type']
self.pname = context['param_name'] self.pname = html.escape(context['param_name'])
self.pvalue = context['param_value'] self.pvalue = html.escape(context['param_value'])
self.name = "Type:%s,Name:%s,Value:%s" % ( self.name = "Type:%s,Name:%s,Value:%s" % (
self.ptype, self.pname, self.pvalue) self.ptype, self.pname, self.pvalue)
self.id = self.name self.id = self.name
@ -288,6 +309,10 @@ class UpdateServicePolicyForm(BaseUpdateForm):
url = reverse("horizon:project:network_policy:index") url = reverse("horizon:project:network_policy:index")
try: try:
policy_id = self.initial['service_policy_id'] policy_id = self.initial['service_policy_id']
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.update_networkservice_policy( client.update_networkservice_policy(
request, policy_id, **context) request, policy_id, **context)
msg = _("Service policy updatedsuccessfully!") msg = _("Service policy updatedsuccessfully!")

25
gbpui/panels/network_services/forms.py
View File

@ -14,6 +14,7 @@ import json
import logging import logging
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
from django.utils import html
from django.utils.translation import ugettext_lazy as _ from django.utils.translation import ugettext_lazy as _
from django import http from django import http
@ -105,6 +106,10 @@ class CreateServiceChainNodeForm(forms.SelfHandlingForm):
except KeyError: except KeyError:
pass pass
context['config'] = json.dumps(context['config']) context['config'] = json.dumps(context['config'])
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.create_servicechain_node(request, **context) client.create_servicechain_node(request, **context)
msg = _("Service Chain Node Created Successfully!") msg = _("Service Chain Node Created Successfully!")
LOG.debug(msg) LOG.debug(msg)
@ -137,6 +142,10 @@ class UpdateServiceChainNodeForm(BaseUpdateForm):
url = reverse("horizon:project:network_services:index") url = reverse("horizon:project:network_services:index")
try: try:
scnode_id = self.initial['scnode_id'] scnode_id = self.initial['scnode_id']
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.update_servicechain_node( client.update_servicechain_node(
request, scnode_id, **context) request, scnode_id, **context)
msg = _("Service Chain Node Updated Successfully!") msg = _("Service Chain Node Updated Successfully!")
@ -183,6 +192,10 @@ class CreateServiceChainSpecForm(forms.SelfHandlingForm):
def handle(self, request, context): def handle(self, request, context):
url = reverse("horizon:project:network_services:index") url = reverse("horizon:project:network_services:index")
try: try:
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.create_servicechain_spec(request, **context) client.create_servicechain_spec(request, **context)
msg = _("Service Chain Spec Created Successfully!") msg = _("Service Chain Spec Created Successfully!")
LOG.debug(msg) LOG.debug(msg)
@ -219,6 +232,10 @@ class UpdateServiceChainSpecForm(CreateServiceChainSpecForm, BaseUpdateForm):
url = reverse("horizon:project:network_services:index") url = reverse("horizon:project:network_services:index")
try: try:
scspec_id = self.initial['scspec_id'] scspec_id = self.initial['scspec_id']
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.update_servicechain_spec(request, scspec_id, **context) client.update_servicechain_spec(request, scspec_id, **context)
msg = _("Service Chain Spec Updated Successfully!") msg = _("Service Chain Spec Updated Successfully!")
LOG.debug(msg) LOG.debug(msg)
@ -260,6 +277,10 @@ class CreateServiceChainInstanceForm(forms.SelfHandlingForm):
def handle(self, request, context): def handle(self, request, context):
url = reverse("horizon:project:network_services:index") url = reverse("horizon:project:network_services:index")
try: try:
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.create_servicechain_instance(request, **context) client.create_servicechain_instance(request, **context)
msg = _("Service Chain Instance Created Successfully!") msg = _("Service Chain Instance Created Successfully!")
LOG.debug(msg) LOG.debug(msg)
@ -295,6 +316,10 @@ class UpdateServiceChainInstanceForm(forms.SelfHandlingForm):
url = reverse("horizon:project:network_services:index") url = reverse("horizon:project:network_services:index")
try: try:
scinstance_id = self.initial['scinstance_id'] scinstance_id = self.initial['scinstance_id']
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
client.update_servicechain_instance( client.update_servicechain_instance(
request, scinstance_id, **context) request, scinstance_id, **context)
msg = _("Service Chain Instance Created Successfully!") msg = _("Service Chain Instance Created Successfully!")

5
gbpui/panels/policytargets/forms.py
View File

@ -14,6 +14,7 @@ import logging
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
from django import http from django import http
from django.utils import html
from django.utils.translation import ugettext_lazy as _ from django.utils.translation import ugettext_lazy as _
from horizon import exceptions from horizon import exceptions
@ -112,6 +113,10 @@ class UpdatePolicyTargetForm(forms.SelfHandlingForm):
context['consumed_policy_rule_sets'] = None context['consumed_policy_rule_sets'] = None
if context['network_service_policy_id'] == 'None': if context['network_service_policy_id'] == 'None':
context['network_service_policy_id'] = None context['network_service_policy_id'] = None
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
policy_target = client.policy_target_update( policy_target = client.policy_target_update(
request, policy_target_id, **context) request, policy_target_id, **context)
msg = _('Group %s was successfully updated.') % name_or_id msg = _('Group %s was successfully updated.') % name_or_id

5
gbpui/panels/policytargets/workflows.py
View File

@ -13,6 +13,7 @@
import logging import logging
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
from django.utils import html
from django.utils.text import normalize_newlines # noqa from django.utils.text import normalize_newlines # noqa
from django.utils.translation import ugettext_lazy as _ from django.utils.translation import ugettext_lazy as _
from django.views.decorators.debug import sensitive_variables # noqa from django.views.decorators.debug import sensitive_variables # noqa
@ -213,6 +214,10 @@ class AddPTG(workflows.Workflow):
def handle(self, request, context): def handle(self, request, context):
try: try:
if context.get('name'):
context['name'] = html.escape(context['name'])
if context.get('description'):
context['description'] = html.escape(context['description'])
group = client.policy_target_create(request, **context) group = client.policy_target_create(request, **context)
return group return group
except Exception as e: except Exception as e: