starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-12 05:20:31 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Authentication Bypass in GraphQL Queries for Users/Tokens Lacking Permissions #9743

New Issue
Closed
opened 2025-12-29 21:21:57 +01:00 by adam · 8 comments
adam commented 2025-12-29 21:21:57 +01:00
Owner
Copy Link

Originally created by @kiraum on GitHub (May 24, 2024).

Originally assigned to: @DanSheps on GitHub.

Deployment Type

Self-hosted

NetBox Version

v4.0.3

Python Version

3.11

Steps to Reproduce

Test user does not have any permissions associated with it (I am using the admin token to make the query):

% curl -s -H "Authorization: Token 28a079fb8aa5e107583583dbeb7deb027121a15a" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/api/users/users/\?username\=test | jq -r '.results[] | .username, .permissions'
test
[]

Test user token:

% curl -s -H "Authorization: Token 28a079fb8aa5e107583583dbeb7deb027121a15a" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/api/users/tokens/ | jq -r '.results[] | select(.user.username == "test") | .user.username, .key'
test
4f745a0b1c13168c95883ee004f17df7ef96e42a

Now using the test user token without any permissions via Graphql:

% curl -s -H "Authorization: Token 4f745a0b1c13168c95883ee004f17df7ef96e42a" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/graphql/ \
--data '{"query": "query {asn(id:1) {asn}}"}'
{"data": {"asn": {"asn": 666}}}%

% curl -s -H "Authorization: Token 4f745a0b1c13168c95883ee004f17df7ef96e42a" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/graphql/ \
--data '{"query": "query {provider(id:1) {name}}"}'
{"data": {"provider": {"name": "test-p"}}}%

In my understanding, if a user/token has no permissions, it should reject by default.

Version:

% curl -s -H "Authorization: Token 28a079fb8aa5e107583583dbeb7deb027121a15a" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/api/status/ | jq -r '.'
{
  "django-version": "5.0.6",
  "installed-apps": {
    "debug_toolbar": "4.3.0",
    "django_filters": "24.2",
    "django_prometheus": "2.3.1",
    "django_rq": "2.10.2",
    "django_tables2": "2.7.0",
    "drf_spectacular": "0.27.2",
    "drf_spectacular_sidecar": "2024.5.1",
    "mptt": "0.16.0",
    "rest_framework": "3.15.1",
    "social_django": "5.4.1",
    "taggit": "5.0.1",
    "timezone_field": "6.1.0"
  },
  "netbox-version": "4.0.3",
  "plugins": {},
  "python-version": "3.11.6",
  "rq-workers-running": 2
}

This may be related with the issue#16228.

Expected Behavior

The system should reject GraphQL queries from users or tokens that do not have the necessary permissions.

Observed Behavior

During testing, it was discovered that if a user or token lacks permissions, the system does not enforce authentication for GraphQL queries. This was observed using a test user with no permissions, where GraphQL queries still returned sensitive data.

GraphQL queries are processed and data is returned even when the user or token has no permissions.

Further investigation is needed to confirm the scope and cause of the authentication bypass. Additional details will be provided upon request.

Originally created by @kiraum on GitHub (May 24, 2024). Originally assigned to: @DanSheps on GitHub. ### Deployment Type Self-hosted ### NetBox Version v4.0.3 ### Python Version 3.11 ### Steps to Reproduce Test user does not have any permissions associated with it (I am using the admin token to make the query): ```bash % curl -s -H "Authorization: Token 28a079fb8aa5e107583583dbeb7deb027121a15a" \ -H "Content-Type: application/json" \ -H "Accept: application/json" \ http://localhost:8000/api/users/users/\?username\=test | jq -r '.results[] | .username, .permissions' test [] ``` Test user token: ```bash % curl -s -H "Authorization: Token 28a079fb8aa5e107583583dbeb7deb027121a15a" \ -H "Content-Type: application/json" \ -H "Accept: application/json" \ http://localhost:8000/api/users/tokens/ | jq -r '.results[] | select(.user.username == "test") | .user.username, .key' test 4f745a0b1c13168c95883ee004f17df7ef96e42a ``` Now using the test user token without any permissions via Graphql: ```bash % curl -s -H "Authorization: Token 4f745a0b1c13168c95883ee004f17df7ef96e42a" \ -H "Content-Type: application/json" \ -H "Accept: application/json" \ http://localhost:8000/graphql/ \ --data '{"query": "query {asn(id:1) {asn}}"}' {"data": {"asn": {"asn": 666}}}% ``` ```bash % curl -s -H "Authorization: Token 4f745a0b1c13168c95883ee004f17df7ef96e42a" \ -H "Content-Type: application/json" \ -H "Accept: application/json" \ http://localhost:8000/graphql/ \ --data '{"query": "query {provider(id:1) {name}}"}' {"data": {"provider": {"name": "test-p"}}}% ``` In my understanding, if a user/token has no permissions, it should reject by default. Version: ```bash % curl -s -H "Authorization: Token 28a079fb8aa5e107583583dbeb7deb027121a15a" \ -H "Content-Type: application/json" \ -H "Accept: application/json" \ http://localhost:8000/api/status/ | jq -r '.' { "django-version": "5.0.6", "installed-apps": { "debug_toolbar": "4.3.0", "django_filters": "24.2", "django_prometheus": "2.3.1", "django_rq": "2.10.2", "django_tables2": "2.7.0", "drf_spectacular": "0.27.2", "drf_spectacular_sidecar": "2024.5.1", "mptt": "0.16.0", "rest_framework": "3.15.1", "social_django": "5.4.1", "taggit": "5.0.1", "timezone_field": "6.1.0" }, "netbox-version": "4.0.3", "plugins": {}, "python-version": "3.11.6", "rq-workers-running": 2 } ``` This may be related with the issue#16228. ### Expected Behavior The system should reject GraphQL queries from users or tokens that do not have the necessary permissions. ### Observed Behavior During testing, it was discovered that if a user or token lacks permissions, the system does not enforce authentication for GraphQL queries. This was observed using a test user with no permissions, where GraphQL queries still returned sensitive data. GraphQL queries are processed and data is returned even when the user or token has no permissions. Further investigation is needed to confirm the scope and cause of the authentication bypass. Additional details will be provided upon request.
adam added the type: bugstatus: acceptedseverity: high labels 2025-12-29 21:21:57 +01:00
adam closed this issue 2025-12-29 21:21:57 +01:00
adam commented 2025-12-29 21:21:58 +01:00
Author
Owner
Copy Link

@arthanson commented on GitHub (May 24, 2024):

@kiraum are you sure this is NetBox 4.0.3? This sounds like #16228 which was in NetBox 4.0.2 but fixed in 4.0.3

@arthanson commented on GitHub (May 24, 2024): @kiraum are you sure this is NetBox 4.0.3? This sounds like #16228 which was in NetBox 4.0.2 but fixed in 4.0.3
adam commented 2025-12-29 21:21:58 +01:00
Author
Owner
Copy Link

@kiraum commented on GitHub (May 24, 2024):

@arthanson, I was running 4.0.2, but pulled new image, and via API/UI, I do see version 4.0.3:
image
image
image

unit@45f666ac0bd0:/opt/netbox$ head -3 docs/release-notes/version-4.0.md
# NetBox v4.0

## v4.0.3 (2024-05-22)

docker image inspect f876940be42f | jq -r '.[].Config.Labels."netbox.git-ref"'
3f345cdbee016243ab5162456ea5415472a2f2df

3f345cdbee

Should I rely on those versions or do we have a better (more reliable) way to check it?

I've destroyed the environment, and recreated to see if there wasn't left overs from the old build, but still the same.

@kiraum commented on GitHub (May 24, 2024): @arthanson, I was running 4.0.2, but pulled new image, and via API/UI, I do see version 4.0.3: <img width="864" alt="image" src="https://github.com/netbox-community/netbox/assets/13142853/f3cf4f78-b80f-4c19-9a6c-631b3b502d1c"> <img width="345" alt="image" src="https://github.com/netbox-community/netbox/assets/13142853/af25a255-629f-42c9-8d8f-23d655840e36"> <img width="585" alt="image" src="https://github.com/netbox-community/netbox/assets/13142853/6cab872d-82c1-4477-bff6-6a5f3b6c60d2"> ```bash unit@45f666ac0bd0:/opt/netbox$ head -3 docs/release-notes/version-4.0.md # NetBox v4.0 ## v4.0.3 (2024-05-22) ``` ```bash docker image inspect f876940be42f | jq -r '.[].Config.Labels."netbox.git-ref"' 3f345cdbee016243ab5162456ea5415472a2f2df ``` https://github.com/netbox-community/netbox/commit/3f345cdbee016243ab5162456ea5415472a2f2df Should I rely on those versions or do we have a better (more reliable) way to check it? I've destroyed the environment, and recreated to see if there wasn't left overs from the old build, but still the same.
adam commented 2025-12-29 21:21:59 +01:00
Author
Owner
Copy Link

@DanSheps commented on GitHub (May 27, 2024):

I just tested this. I am not able to reproduce.

Please provide more comprehensive steps including what objects to create for testing against (I see you are querying ASN's but I don't see how to create that ASN specifically)

@DanSheps commented on GitHub (May 27, 2024): I just tested this. I am not able to reproduce. Please provide more comprehensive steps including what objects to create for testing against (I see you are querying ASN's but I don't see how to create that ASN specifically)
adam commented 2025-12-29 21:21:59 +01:00
Author
Owner
Copy Link

@kiraum commented on GitHub (May 27, 2024):

@DanSheps , thanks for checking, follow the step by step:

» git clone git@github.com:netbox-community/netbox-docker.git
» cd netbox-docker
» tee docker-compose.override.yml <<EOF
services:
  netbox:
    ports:
      - 8000:8080
EOF
services:
  netbox:
    ports:
      - 8000:8080
» vi docker-compose.yml
» git diff
diff --git a/docker-compose.yml b/docker-compose.yml
index 958561f..afc6905 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
   netbox: &netbox
-    image: docker.io/netboxcommunity/netbox:${VERSION-v4.0-2.9.1}
+    image: docker.io/netboxcommunity/netbox:${VERSION-v4.0.3-2.9.1}
     depends_on:
     - postgres
     - redis
» docker-compose pull
» docker-compose up -d
» docker image ls
REPOSITORY               TAG            IMAGE ID       CREATED      SIZE
netboxcommunity/netbox   v4.0.3-2.9.1   f876940be42f   3 days ago   707MB
redis                    7-alpine       cdb453bbf446   4 days ago   42MB
postgres                 16-alpine      1220ef94dbc4   5 days ago   250MB
» docker image inspect f876940be42f | jq -r '.[].Config.Labels."netbox.git-ref"'
3f345cdbee016243ab5162456ea5415472a2f2df
» docker compose exec netbox /opt/netbox/netbox/manage.py createsuperuser
# created an user test via UI, without group/permissions (not superadmin)
# created token b97beb333cf5f381025440a4037b3284373b3ab3 associated with user test
# created a provider, just to have something to query

Here, I can get data without permissions set to the user:

» curl -s -H "Authorization: Token b97beb333cf5f381025440a4037b3284373b3ab3" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/graphql/ \
--data '{"query": "query {provider(id:1) {name}}"}'
{"data": {"provider": {"name": "test-p"}}}%

» curl -s -H "Authorization: Token b97beb333cf5f381025440a4037b3284373b3ab3" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/api/status/ | jq '.'
{
  "django-version": "5.0.6",
  "installed-apps": {
    "debug_toolbar": "4.3.0",
    "django_filters": "24.2",
    "django_prometheus": "2.3.1",
    "django_rq": "2.10.2",
    "django_tables2": "2.7.0",
    "drf_spectacular": "0.27.2",
    "drf_spectacular_sidecar": "2024.5.1",
    "mptt": "0.16.0",
    "rest_framework": "3.15.1",
    "social_django": "5.4.1",
    "taggit": "5.0.1",
    "timezone_field": "6.1.0"
  },
  "netbox-version": "4.0.3",
  "plugins": {},
  "python-version": "3.11.6",
  "rq-workers-running": 1
}

If I try to get user details with the token without permissions, I do see a reject:

» curl -s -H "Authorization: Token b97beb333cf5f381025440a4037b3284373b3ab3" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/api/users/users/\?username\=test
{"detail":"You do not have permission to perform this action."}%

Using a superuser token, just to show the current permissions and tokens:

» curl -s -H "Authorization: Token 6065f2a66b6b6e08c4ea68b07976e998f6b29a67" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/api/users/users/\?username\=test | jq '.'
{
  "count": 1,
  "next": null,
  "previous": null,
  "results": [
    {
      "id": 2,
      "url": "http://localhost:8000/api/users/users/2/",
      "display": "test",
      "username": "test",
      "first_name": "",
      "last_name": "",
      "email": "",
      "is_staff": false,
      "is_active": true,
      "date_joined": "2024-05-27T20:25:24.362362Z",
      "last_login": null,
      "groups": [],
      "permissions": []
    }
  ]
}

» curl -s -H "Authorization: Token 6065f2a66b6b6e08c4ea68b07976e998f6b29a67" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/api/users/tokens/ | jq -r '.'
{
  "count": 2,
  "next": null,
  "previous": null,
  "results": [
    {
      "id": 1,
      "url": "http://localhost:8000/api/users/tokens/1/",
      "display": "b97beb333cf5f381025440a4037b3284373b3ab3",
      "user": {
        "id": 2,
        "url": "http://localhost:8000/api/users/users/2/",
        "display": "test",
        "username": "test"
      },
      "created": "2024-05-27T20:26:12.198312Z",
      "expires": null,
      "last_used": "2024-05-27T20:31:55.628047Z",
      "key": "b97beb333cf5f381025440a4037b3284373b3ab3",
      "write_enabled": true,
      "description": "",
      "allowed_ips": []
    },
    {
      "id": 2,
      "url": "http://localhost:8000/api/users/tokens/2/",
      "display": "6065f2a66b6b6e08c4ea68b07976e998f6b29a67",
      "user": {
        "id": 1,
        "url": "http://localhost:8000/api/users/users/1/",
        "display": "admin",
        "username": "admin"
      },
      "created": "2024-05-27T20:36:55.815834Z",
      "expires": null,
      "last_used": "2024-05-27T20:38:40.961444Z",
      "key": "6065f2a66b6b6e08c4ea68b07976e998f6b29a67",
      "write_enabled": true,
      "description": "",
      "allowed_ips": []
    }
  ]
}

Thanks, and please let me know if you need something else.

@kiraum commented on GitHub (May 27, 2024): @DanSheps , thanks for checking, follow the step by step: ``` » git clone git@github.com:netbox-community/netbox-docker.git » cd netbox-docker » tee docker-compose.override.yml <<EOF services: netbox: ports: - 8000:8080 EOF services: netbox: ports: - 8000:8080 » vi docker-compose.yml » git diff diff --git a/docker-compose.yml b/docker-compose.yml index 958561f..afc6905 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,6 +1,6 @@ services: netbox: &netbox - image: docker.io/netboxcommunity/netbox:${VERSION-v4.0-2.9.1} + image: docker.io/netboxcommunity/netbox:${VERSION-v4.0.3-2.9.1} depends_on: - postgres - redis » docker-compose pull » docker-compose up -d » docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE netboxcommunity/netbox v4.0.3-2.9.1 f876940be42f 3 days ago 707MB redis 7-alpine cdb453bbf446 4 days ago 42MB postgres 16-alpine 1220ef94dbc4 5 days ago 250MB » docker image inspect f876940be42f | jq -r '.[].Config.Labels."netbox.git-ref"' 3f345cdbee016243ab5162456ea5415472a2f2df » docker compose exec netbox /opt/netbox/netbox/manage.py createsuperuser # created an user test via UI, without group/permissions (not superadmin) # created token b97beb333cf5f381025440a4037b3284373b3ab3 associated with user test # created a provider, just to have something to query ``` Here, I can get data without permissions set to the user: ``` » curl -s -H "Authorization: Token b97beb333cf5f381025440a4037b3284373b3ab3" \ -H "Content-Type: application/json" \ -H "Accept: application/json" \ http://localhost:8000/graphql/ \ --data '{"query": "query {provider(id:1) {name}}"}' {"data": {"provider": {"name": "test-p"}}}% ``` ``` » curl -s -H "Authorization: Token b97beb333cf5f381025440a4037b3284373b3ab3" \ -H "Content-Type: application/json" \ -H "Accept: application/json" \ http://localhost:8000/api/status/ | jq '.' { "django-version": "5.0.6", "installed-apps": { "debug_toolbar": "4.3.0", "django_filters": "24.2", "django_prometheus": "2.3.1", "django_rq": "2.10.2", "django_tables2": "2.7.0", "drf_spectacular": "0.27.2", "drf_spectacular_sidecar": "2024.5.1", "mptt": "0.16.0", "rest_framework": "3.15.1", "social_django": "5.4.1", "taggit": "5.0.1", "timezone_field": "6.1.0" }, "netbox-version": "4.0.3", "plugins": {}, "python-version": "3.11.6", "rq-workers-running": 1 } ``` If I try to get user details with the token without permissions, I do see a reject: ``` » curl -s -H "Authorization: Token b97beb333cf5f381025440a4037b3284373b3ab3" \ -H "Content-Type: application/json" \ -H "Accept: application/json" \ http://localhost:8000/api/users/users/\?username\=test {"detail":"You do not have permission to perform this action."}% ``` Using a superuser token, just to show the current permissions and tokens: ``` » curl -s -H "Authorization: Token 6065f2a66b6b6e08c4ea68b07976e998f6b29a67" \ -H "Content-Type: application/json" \ -H "Accept: application/json" \ http://localhost:8000/api/users/users/\?username\=test | jq '.' { "count": 1, "next": null, "previous": null, "results": [ { "id": 2, "url": "http://localhost:8000/api/users/users/2/", "display": "test", "username": "test", "first_name": "", "last_name": "", "email": "", "is_staff": false, "is_active": true, "date_joined": "2024-05-27T20:25:24.362362Z", "last_login": null, "groups": [], "permissions": [] } ] } » curl -s -H "Authorization: Token 6065f2a66b6b6e08c4ea68b07976e998f6b29a67" \ -H "Content-Type: application/json" \ -H "Accept: application/json" \ http://localhost:8000/api/users/tokens/ | jq -r '.' { "count": 2, "next": null, "previous": null, "results": [ { "id": 1, "url": "http://localhost:8000/api/users/tokens/1/", "display": "b97beb333cf5f381025440a4037b3284373b3ab3", "user": { "id": 2, "url": "http://localhost:8000/api/users/users/2/", "display": "test", "username": "test" }, "created": "2024-05-27T20:26:12.198312Z", "expires": null, "last_used": "2024-05-27T20:31:55.628047Z", "key": "b97beb333cf5f381025440a4037b3284373b3ab3", "write_enabled": true, "description": "", "allowed_ips": [] }, { "id": 2, "url": "http://localhost:8000/api/users/tokens/2/", "display": "6065f2a66b6b6e08c4ea68b07976e998f6b29a67", "user": { "id": 1, "url": "http://localhost:8000/api/users/users/1/", "display": "admin", "username": "admin" }, "created": "2024-05-27T20:36:55.815834Z", "expires": null, "last_used": "2024-05-27T20:38:40.961444Z", "key": "6065f2a66b6b6e08c4ea68b07976e998f6b29a67", "write_enabled": true, "description": "", "allowed_ips": [] } ] } ``` Thanks, and please let me know if you need something else.
adam commented 2025-12-29 21:21:59 +01:00
Author
Owner
Copy Link

@kiraum commented on GitHub (May 28, 2024):

Hi, I noticed that I left write enable during the latest test, follow the result with write_enable as false for the test token in the same environment/deploy:

» curl -s -H "Authorization: Token 6065f2a66b6b6e08c4ea68b07976e998f6b29a67" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/api/users/tokens/ | jq -r '.'
{
  "count": 2,
  "next": null,
  "previous": null,
  "results": [
    {
      "id": 1,
      "url": "http://localhost:8000/api/users/tokens/1/",
      "display": "b97beb333cf5f381025440a4037b3284373b3ab3",
      "user": {
        "id": 2,
        "url": "http://localhost:8000/api/users/users/2/",
        "display": "test",
        "username": "test"
      },
      "created": "2024-05-27T20:26:12.198312Z",
      "expires": null,
      "last_used": "2024-05-27T20:31:55.628047Z",
      "key": "b97beb333cf5f381025440a4037b3284373b3ab3",
      "write_enabled": false,
      "description": "",
      "allowed_ips": []
    },
    {
      "id": 2,
      "url": "http://localhost:8000/api/users/tokens/2/",
      "display": "6065f2a66b6b6e08c4ea68b07976e998f6b29a67",
      "user": {
        "id": 1,
        "url": "http://localhost:8000/api/users/users/1/",
        "display": "admin",
        "username": "admin"
      },
      "created": "2024-05-27T20:36:55.815834Z",
      "expires": null,
      "last_used": "2024-05-28T04:34:33.458954Z",
      "key": "6065f2a66b6b6e08c4ea68b07976e998f6b29a67",
      "write_enabled": true,
      "description": "",
      "allowed_ips": []
    }
  ]
}

» curl -s -H "Authorization: Token b97beb333cf5f381025440a4037b3284373b3ab3" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
http://localhost:8000/graphql/ \
--data '{"query": "query {provider(id:1) {name}}"}'
{"data": {"provider": {"name": "test-p"}}}%
@kiraum commented on GitHub (May 28, 2024): Hi, I noticed that I left write enable during the latest test, follow the result with write_enable as false for the test token in the same environment/deploy: ``` » curl -s -H "Authorization: Token 6065f2a66b6b6e08c4ea68b07976e998f6b29a67" \ -H "Content-Type: application/json" \ -H "Accept: application/json" \ http://localhost:8000/api/users/tokens/ | jq -r '.' { "count": 2, "next": null, "previous": null, "results": [ { "id": 1, "url": "http://localhost:8000/api/users/tokens/1/", "display": "b97beb333cf5f381025440a4037b3284373b3ab3", "user": { "id": 2, "url": "http://localhost:8000/api/users/users/2/", "display": "test", "username": "test" }, "created": "2024-05-27T20:26:12.198312Z", "expires": null, "last_used": "2024-05-27T20:31:55.628047Z", "key": "b97beb333cf5f381025440a4037b3284373b3ab3", "write_enabled": false, "description": "", "allowed_ips": [] }, { "id": 2, "url": "http://localhost:8000/api/users/tokens/2/", "display": "6065f2a66b6b6e08c4ea68b07976e998f6b29a67", "user": { "id": 1, "url": "http://localhost:8000/api/users/users/1/", "display": "admin", "username": "admin" }, "created": "2024-05-27T20:36:55.815834Z", "expires": null, "last_used": "2024-05-28T04:34:33.458954Z", "key": "6065f2a66b6b6e08c4ea68b07976e998f6b29a67", "write_enabled": true, "description": "", "allowed_ips": [] } ] } » curl -s -H "Authorization: Token b97beb333cf5f381025440a4037b3284373b3ab3" \ -H "Content-Type: application/json" \ -H "Accept: application/json" \ http://localhost:8000/graphql/ \ --data '{"query": "query {provider(id:1) {name}}"}' {"data": {"provider": {"name": "test-p"}}}% ```
adam commented 2025-12-29 21:21:59 +01:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Jun 5, 2024):

This is a reminder that additional information is needed in order to further triage this issue. If the requested details are not provided, the issue will soon be closed automatically.

@github-actions[bot] commented on GitHub (Jun 5, 2024): This is a reminder that additional information is needed in order to further triage this issue. If the requested details are not provided, the issue will soon be closed automatically.
adam commented 2025-12-29 21:22:00 +01:00
Author
Owner
Copy Link

@kiraum commented on GitHub (Jun 5, 2024):

@DanSheps do you need more details? Received a message from @github telling if details are not provided issue will be resolved.

@kiraum commented on GitHub (Jun 5, 2024): @DanSheps do you need more details? Received a message from @github telling if details are not provided issue will be resolved.
adam commented 2025-12-29 21:22:00 +01:00
Author
Owner
Copy Link

@DanSheps commented on GitHub (Aug 22, 2024):

Alright,

The fundamental issue is that for a single ASN query, we have:

class IPAMQuery:
    @strawberry.field
    def asn(self, id: int) -> ASNType:
        return models.ASN.objects.get(pk=id)

the models.ASN.objects.get(pk=id) is just simply not calling restrict. AFAIK, all models are impacted by this.

@DanSheps commented on GitHub (Aug 22, 2024): Alright, The fundamental issue is that for a single ASN query, we have: ``` class IPAMQuery: @strawberry.field def asn(self, id: int) -> ASNType: return models.ASN.objects.get(pk=id) ``` the `models.ASN.objects.get(pk=id)` is just simply not calling restrict. AFAIK, all models are impacted by this.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label severity: high status: accepted type: bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#9743
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?