nautobot 1.6.28__py3-none-any.whl → 1.6.29__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of nautobot might be problematic. Click here for more details.
- nautobot/core/apps/__init__.py +18 -0
- nautobot/core/tests/test_models.py +17 -1
- nautobot/dcim/views.py +2 -2
- nautobot/project-static/docs/release-notes/version-1.6.html +186 -120
- nautobot/project-static/docs/requirements.txt +1 -0
- nautobot/project-static/docs/search/search_index.json +1 -1
- nautobot/project-static/docs/sitemap.xml +187 -187
- nautobot/project-static/docs/sitemap.xml.gz +0 -0
- {nautobot-1.6.28.dist-info → nautobot-1.6.29.dist-info}/METADATA +1 -1
- {nautobot-1.6.28.dist-info → nautobot-1.6.29.dist-info}/RECORD +14 -14
- {nautobot-1.6.28.dist-info → nautobot-1.6.29.dist-info}/WHEEL +1 -1
- {nautobot-1.6.28.dist-info → nautobot-1.6.29.dist-info}/LICENSE.txt +0 -0
- {nautobot-1.6.28.dist-info → nautobot-1.6.29.dist-info}/NOTICE +0 -0
- {nautobot-1.6.28.dist-info → nautobot-1.6.29.dist-info}/entry_points.txt +0 -0
nautobot/core/apps/__init__.py
CHANGED
|
@@ -691,6 +691,24 @@ class CoreConfig(NautobotConfig):
|
|
|
691
691
|
|
|
692
692
|
monkey_mix(TaggableManager, mixins.TaggableManagerMonkeyMixin)
|
|
693
693
|
|
|
694
|
+
# The code block below is to address an issue describe in https://www.cvedetails.com/cve/CVE-2024-42005/
|
|
695
|
+
# An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15.
|
|
696
|
+
# QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection
|
|
697
|
+
# in column aliases via a crafted JSON object key as a passed *arg.
|
|
698
|
+
# The fix in Django 4.2 https://github.com/django/django/commit/f4af67b9b41e0f4c117a8741da3abbd1c869ab28/
|
|
699
|
+
# is backported here to Nautobot v1.6.x running on Django 3.2.
|
|
700
|
+
from django.db.models.sql.query import Query
|
|
701
|
+
|
|
702
|
+
Query._set_values = Query.set_values
|
|
703
|
+
|
|
704
|
+
def set_values(self, fields):
|
|
705
|
+
if fields:
|
|
706
|
+
for field in fields:
|
|
707
|
+
self.check_alias(field)
|
|
708
|
+
self._set_values(fields)
|
|
709
|
+
|
|
710
|
+
Query.set_values = set_values
|
|
711
|
+
|
|
694
712
|
|
|
695
713
|
class NautobotConstanceConfig(ConstanceConfig):
|
|
696
714
|
"""Override "Constance" app name to "Configuration"."""
|
|
@@ -4,7 +4,8 @@ from unittest.mock import patch
|
|
|
4
4
|
|
|
5
5
|
from django.core.cache import cache
|
|
6
6
|
from django.core.exceptions import ValidationError
|
|
7
|
-
from django.
|
|
7
|
+
from django.db import models
|
|
8
|
+
from django.test import override_settings, skipUnlessDBFeature
|
|
8
9
|
|
|
9
10
|
from nautobot.core.models import BaseModel
|
|
10
11
|
from nautobot.utilities.testing import TestCase
|
|
@@ -15,6 +16,12 @@ class BaseModelTest(TestCase):
|
|
|
15
16
|
def clean(self):
|
|
16
17
|
raise ValidationError("validation error")
|
|
17
18
|
|
|
19
|
+
class JSONFieldModel(BaseModel):
|
|
20
|
+
data = models.JSONField(null=True)
|
|
21
|
+
|
|
22
|
+
class Meta:
|
|
23
|
+
required_db_features = {"supports_json_field"}
|
|
24
|
+
|
|
18
25
|
def test_validated_save_calls_full_clean(self):
|
|
19
26
|
with self.assertRaises(ValidationError):
|
|
20
27
|
self.FakeBaseModel().validated_save()
|
|
@@ -61,3 +68,12 @@ class BaseModelTest(TestCase):
|
|
|
61
68
|
self.FakeBaseModel._content_type_cached
|
|
62
69
|
self.FakeBaseModel._content_type_cached
|
|
63
70
|
self.assertEqual(mock__content_type.call_count, 2)
|
|
71
|
+
|
|
72
|
+
@skipUnlessDBFeature("supports_json_field")
|
|
73
|
+
def test_values_expression_alias_sql_injection_json_field(self):
|
|
74
|
+
crafted_alias = """injected_name" from "expressions_company"; --"""
|
|
75
|
+
msg = "Column aliases cannot contain whitespace characters, quotation marks, semicolons, or SQL comments."
|
|
76
|
+
with self.assertRaisesMessage(ValueError, msg):
|
|
77
|
+
self.JSONFieldModel.objects.values(f"data__{crafted_alias}")
|
|
78
|
+
with self.assertRaisesMessage(ValueError, msg):
|
|
79
|
+
self.JSONFieldModel.objects.values_list(f"data__{crafted_alias}")
|
nautobot/dcim/views.py
CHANGED
|
@@ -2257,7 +2257,7 @@ class DeviceBayPopulateView(generic.ObjectEditView):
|
|
|
2257
2257
|
f"Added {device_bay.installed_device} to {device_bay}.",
|
|
2258
2258
|
)
|
|
2259
2259
|
|
|
2260
|
-
return redirect("dcim:
|
|
2260
|
+
return redirect("dcim:device_devicebays", pk=device_bay.device.pk)
|
|
2261
2261
|
|
|
2262
2262
|
return render(
|
|
2263
2263
|
request,
|
|
@@ -2300,7 +2300,7 @@ class DeviceBayDepopulateView(generic.ObjectEditView):
|
|
|
2300
2300
|
f"Removed {removed_device} from {device_bay}.",
|
|
2301
2301
|
)
|
|
2302
2302
|
|
|
2303
|
-
return redirect("dcim:
|
|
2303
|
+
return redirect("dcim:device_devicebays", pk=device_bay.device.pk)
|
|
2304
2304
|
|
|
2305
2305
|
return render(
|
|
2306
2306
|
request,
|