chore: security improvements (#53)

mfiedorowicz · web-flow · commit 53fbc02566a5 · 2024-12-30T11:21:59.000Z
* chore: add safe redirect to login

Signed-off-by: Michal Fiedorowicz &lt;mfiedorowicz@netboxlabs.com&gt;

* chore: gha - add missing permissions

Signed-off-by: Michal Fiedorowicz &lt;mfiedorowicz@netboxlabs.com&gt;

* chore: gha - pin actions to commit hashes

Signed-off-by: Michal Fiedorowicz &lt;mfiedorowicz@netboxlabs.com&gt;

* tidy up

Signed-off-by: Michal Fiedorowicz &lt;mfiedorowicz@netboxlabs.com&gt;

---------

Signed-off-by: Michal Fiedorowicz &lt;mfiedorowicz@netboxlabs.com&gt;
diff --git a/.github/workflows/lint-tests.yml b/.github/workflows/lint-tests.yml
@@ -47,7 +47,7 @@ jobs:
         run: |
           make docker-compose-netbox-plugin-test-cover
       - name: Coverage comment
-        uses: orgoro/coverage@v3.2
+        uses: orgoro/coverage@3f13a558c5af7376496aa4848bf0224aead366ac # v3.2
         with:
           coverageFile: ./docker/coverage/report.xml
           token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/manifest-modified.yaml b/.github/workflows/manifest-modified.yaml
@@ -10,6 +10,9 @@ concurrency:
   group: ${{ github.workflow }}
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   manifest-modified:
     uses: netboxlabs/public-workflows/.github/workflows/reusable-plugin-manifest-modified.yml@release
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -42,7 +42,7 @@ jobs:
         with:
           node-version: "lts/*"
       - name: Write package.json
-        uses: DamianReeves/write-file-action@master
+        uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 # v1.3
         with:
           path: ./package.json
           write-mode: overwrite
@@ -56,7 +56,7 @@ jobs:
               }
             }
       - name: Write .releaserc.json
-        uses: DamianReeves/write-file-action@master
+        uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 # v1.3
         with:
           path: ./.releaserc.json
           write-mode: overwrite
@@ -166,7 +166,7 @@ jobs:
           retention-days: 30
           if-no-files-found: error
       - name: Publish release distributions to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # v.1.12.3
         with:
           packages-dir: dist
 
@@ -181,7 +181,7 @@ jobs:
         with:
           node-version: "lts/*"
       - name: Write package.json
-        uses: DamianReeves/write-file-action@master
+        uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 # v1.3
         with:
           path: ./package.json
           write-mode: overwrite
@@ -195,7 +195,7 @@ jobs:
               }
             }
       - name: Write .releaserc.json
-        uses: DamianReeves/write-file-action@master
+        uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 # v1.3
         with:
           path: ./.releaserc.json
           write-mode: overwrite
diff --git a/netbox_diode_plugin/views.py b/netbox_diode_plugin/views.py
@@ -7,7 +7,9 @@
 from django.contrib import messages
 from django.contrib.auth import get_user, get_user_model
 from django.core.cache import cache
+from django.http import HttpResponseRedirect
 from django.shortcuts import redirect, render
+from django.utils.http import url_has_allowed_host_and_scheme
 from django.views.generic import View
 from netbox.plugins import get_plugin_config
 from netbox.views import generic
@@ -28,6 +30,17 @@
 User = get_user_model()
 
 
+def redirect_to_login(request):
+    """Redirect to login view."""
+    redirect_url = netbox_settings.LOGIN_URL
+    target = request.path
+
+    if target and url_has_allowed_host_and_scheme(target, allowed_hosts=None):
+        redirect_url = f"{netbox_settings.LOGIN_URL}?next={target}"
+
+    return HttpResponseRedirect(redirect_url)
+
+
 class IngestionLogsView(View):
     """Ingestion logs view."""
 
@@ -36,7 +49,7 @@ class IngestionLogsView(View):
     def get(self, request):
         """Render ingestion logs template."""
         if not request.user.is_authenticated or not request.user.is_staff:
-            return redirect(f"{netbox_settings.LOGIN_URL}?next={request.path}")
+            return redirect_to_login(request)
 
         netbox_to_diode_username = get_diode_username_for_user_type("netbox_to_diode")
         try:
@@ -118,7 +131,7 @@ class SettingsView(View):
     def get(self, request):
         """Render settings template."""
         if not request.user.is_authenticated or not request.user.is_staff:
-            return redirect(f"{netbox_settings.LOGIN_URL}?next={request.path}")
+            return redirect_to_login(request)
 
         diode_target_override = get_plugin_config(
             "netbox_diode_plugin", "diode_target_override"
@@ -187,7 +200,7 @@ class SettingsEditView(generic.ObjectEditView):
     def get(self, request, *args, **kwargs):
         """GET request handler."""
         if not request.user.is_authenticated or not request.user.is_staff:
-            return redirect(f"{netbox_settings.LOGIN_URL}?next={request.path}")
+            return redirect_to_login(request)
 
         diode_target_override = get_plugin_config(
             "netbox_diode_plugin", "diode_target_override"
@@ -207,7 +220,7 @@ def get(self, request, *args, **kwargs):
     def post(self, request, *args, **kwargs):
         """POST request handler."""
         if not request.user.is_authenticated or not request.user.is_staff:
-            return redirect(f"{netbox_settings.LOGIN_URL}?next={request.path}")
+            return redirect_to_login(request)
 
         diode_target_override = get_plugin_config(
             "netbox_diode_plugin", "diode_target_override"
@@ -272,7 +285,7 @@ def _retrieve_users(self):
     def get(self, request):
         """GET request handler."""
         if not request.user.is_authenticated or not request.user.is_staff:
-            return redirect(f"{netbox_settings.LOGIN_URL}?next={request.path}")
+            return redirect_to_login(request)
 
         users = self._retrieve_users()
 
@@ -285,7 +298,7 @@ def get(self, request):
     def post(self, request):
         """POST request handler."""
         if not request.user.is_authenticated or not request.user.is_staff:
-            return redirect(f"{netbox_settings.LOGIN_URL}?next={request.path}")
+            return redirect_to_login(request)
 
         users = self._retrieve_users()
 
