starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-04-22 16:58:49 +02:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Fixes #20442: Mark template-accessible methods with alters_data=True

Browse Source 
Add alters_data=True to methods that modify database or filesystem state
and are accessible from Jinja2 sandbox template contexts:

- UserConfig.set(), clear(): Persist preference changes when commit=True
- ManagedFile.sync_data(): Writes files to scripts/reports storage
- ScriptModule.sync_classes(), sync_data(): Creates/deletes Script objects
- Job.start(), terminate(): Updates job status, creates notifications

Methods intentionally not protected:
- DataFile.refresh_from_disk(): Only modifies instance attributes in memory
- Overridden save()/delete(): Django's AltersData mixin auto-propagates
- Properties like Script.python_class: Not callable in template context

Ref: #20356 for exploit details demonstrating the vulnerability
This commit is contained in:
Jason Novinger
2026-02-13 06:53:28 -06:00
parent 5bf516c63d
commit 57fe5ee1ea
4 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
netbox/core/models/files.py
View File

@@ -89,6 +89,7 @@ class ManagedFile(SyncedDataMixin, models.Model):
with storage.open(self.full_path, 'wb+') as new_file: with storage.open(self.full_path, 'wb+') as new_file:
new_file.write(self.data_file.data) new_file.write(self.data_file.data)
sync_data.alters_data = True
@cached_property @cached_property
def storage(self): def storage(self):

2
netbox/core/models/jobs.py
View File

@@ -216,6 +216,7 @@ class Job(models.Model):
# Send signal # Send signal
job_start.send(self) job_start.send(self)
start.alters_data = True
def terminate(self, status=JobStatusChoices.STATUS_COMPLETED, error=None): def terminate(self, status=JobStatusChoices.STATUS_COMPLETED, error=None):
""" """
@@ -245,6 +246,7 @@ class Job(models.Model):
# Send signal # Send signal
job_end.send(self) job_end.send(self)
terminate.alters_data = True
def log(self, record: logging.LogRecord): def log(self, record: logging.LogRecord):
""" """

2
netbox/extras/models/scripts.py
View File

@@ -178,9 +178,11 @@ class ScriptModule(PythonModuleMixin, JobsMixin, ManagedFile):
name=name, name=name,
is_executable=True, is_executable=True,
) )
sync_classes.alters_data = True
def sync_data(self): def sync_data(self):
super().sync_data() super().sync_data()
sync_data.alters_data = True
def save(self, *args, **kwargs): def save(self, *args, **kwargs):
self.file_root = ManagedFileRootPathChoices.SCRIPTS self.file_root = ManagedFileRootPathChoices.SCRIPTS

2
netbox/users/models/preferences.py
View File

@@ -113,6 +113,7 @@ class UserConfig(models.Model):
if commit: if commit:
self.save() self.save()
set.alters_data = True
def clear(self, path, commit=False): def clear(self, path, commit=False):
""" """
@@ -140,3 +141,4 @@ class UserConfig(models.Model):
if commit: if commit:
self.save() self.save()
clear.alters_data = True