Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove files/get endpoint which is not used #5109

Merged
merged 3 commits into from
Jan 17, 2024
Merged

Remove files/get endpoint which is not used #5109

merged 3 commits into from
Jan 17, 2024

Conversation

gertzakis
Copy link
Contributor

Closes: #N/A

What's Changed

Removes the files/get URL endpoint which is not used. Also, the way it was configured without "add_attachment_headers": True it was missing the Content-Disposition: attachment HTTP header which causes a security vulnerability.

TODO

  • Explanation of Change(s)
  • Added change log fragment(s) (for more information see the documentation)
  • Attached Screenshots, Payload Example
  • Unit, Integration Tests
  • Documentation Updates (when adding/changing features)
  • Example Plugin Updates (when adding/changing features)
  • Outline Remaining Work, Constraints from Design

glennmatthews
glennmatthews reviewed Jan 16, 2024
View reviewed changes
Copy link
Contributor

@glennmatthews glennmatthews left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggest adding a changes/5109.security change fragment along the lines of:

Removed `/files/get/` URL endpoint (for viewing FileAttachment files in the browser), as it was unused and could potentially pose security issues.

nautobot/core/tests/test_views.py Outdated Show resolved Hide resolved
nautobot/core/tests/test_views.py Outdated Show resolved Hide resolved
@glennmatthews glennmatthews added the emergent Unplanned work that is brought into a sprint after it's started. label Jan 16, 2024
gertzakis and others added 2 commits January 16, 2024 17:56
@gertzakis @glennmatthews
Update nautobot/core/tests/test_views.py
ca50657 
Co-authored-by: Glenn Matthews <glenn.matthews@networktocode.com>
@gertzakis
update based on review
97b4ba1
@glennmatthews
Copy link
Contributor

I hadn't noticed that this was a PR to ltm-1.6. This should really go into develop first and then be backported to the LTM branch.

@gertzakis
Copy link
Contributor Author

Oh of course! Opened #5115 for adding it into develop.

@glennmatthews glennmatthews merged commit fe5658c into nautobot:ltm-1.6 Jan 17, 2024
18 checks passed
@gertzakis gertzakis deleted the remove-files/get-endpoint branch January 17, 2024 15:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@glennmatthews glennmatthews glennmatthews approved these changes

@timizuoebideri1 timizuoebideri1 timizuoebideri1 approved these changes

@HanlinMiao HanlinMiao Awaiting requested review from HanlinMiao

Assignees
No one assigned
Labels
emergent Unplanned work that is brought into a sprint after it's started.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@gertzakis @glennmatthews @timizuoebideri1