X-Git-Url: https://osm.etsi.org/gitweb/?a=blobdiff_plain;f=osm_nbi%2Fhtml_out.py;h=f591a707a1c045dee7d4f5d1170072e05372bdc5;hb=375aeb2647d733ac894b2408f66d36d55217c92d;hp=1883a9685babe86e5453f9f6456b8cb75f6e24c6;hpb=701018c9f19c0d18b7392ab63686bb5f982e5ea5;p=osm%2FNBI.git diff --git a/osm_nbi/html_out.py b/osm_nbi/html_out.py index 1883a96..f591a70 100644 --- a/osm_nbi/html_out.py +++ b/osm_nbi/html_out.py @@ -26,7 +26,8 @@ html_start = """
-" + + yaml.safe_dump( + data, explicit_start=False, indent=4, default_flow_style=False + ) + + "" + ) + body = html_body.format(item=html_escape(request.path_info)) if response.status and response.status > 202: - body += html_body_error.format(yaml.safe_dump(data, explicit_start=True, indent=4, default_flow_style=False)) + # input request.path_info (URL) can contain XSS that are translated into output error detail + body += html_body_error.format( + html_escape( + yaml.safe_dump( + data, explicit_start=True, indent=4, default_flow_style=False + ) + ) + ) elif isinstance(data, (list, tuple)): if request.path_info == "/vnfpkgm/v1/vnf_packages": - body += html_upload_body.format(request.path_info, "VNFD") + body += html_upload_body.format(request.path_info + "_content", "VNFD") elif request.path_info == "/nsd/v1/ns_descriptors": body += html_upload_body.format(request.path_info + "_content", "NSD") elif request.path_info == "/nst/v1/nst_templates": @@ -158,24 +189,43 @@ def format(data, request, response, toke_info): data_id = k.pop("_id", None) elif isinstance(k, str): data_id = k - body += '
{id}: {t}
'.format(url=request.path_info, id=data_id, - t=html_escape(str(k))) + body += '{id}: {t}
'.format( + url=request.path_info, id=data_id, t=html_escape(str(k)) + ) elif isinstance(data, dict): if "Location" in response.headers: body += ' show '.format(response.headers["Location"]) else: - body += ' '\ - .format(request.path_info) - if request.path_info.startswith("/nslcm/v1/ns_instances_content/") or \ - request.path_info.startswith("/nslcm/v1/ns_instances/"): - _id = request.path_info[request.path_info.rfind("/")+1:] + _id = request.path_info[request.path_info.rfind("/") + 1 :] + body += ( + ' ' + ' ' + ).format(request.path_info) + if request.path_info.startswith( + "/nslcm/v1/ns_instances_content/" + ) or request.path_info.startswith("/nslcm/v1/ns_instances/"): body += html_nslcmop_body.format(id=_id) - elif request.path_info.startswith("/nsilcm/v1/netslice_instances_content/") or \ - request.path_info.startswith("/nsilcm/v1/netslice_instances/"): - _id = request.path_info[request.path_info.rfind("/")+1:] + elif request.path_info.startswith( + "/nsilcm/v1/netslice_instances_content/" + ) or request.path_info.startswith("/nsilcm/v1/netslice_instances/"): body += html_nsilcmop_body.format(id=_id) - body += "" + html_escape(yaml.safe_dump(data, explicit_start=True, indent=4, default_flow_style=False)) + \ - "" + elif request.path_info.startswith( + "/vnfpkgm/v1/vnf_packages/" + ) or request.path_info.startswith("/vnfpkgm/v1/vnf_packages_content/"): + body += html_vnfpackage_body.format(id=_id) + elif request.path_info.startswith( + "/nsd/v1/ns_descriptors/" + ) or request.path_info.startswith("/nsd/v1/ns_descriptors_content/"): + body += html_nspackage_body.format(id=_id) + body += ( + "
" + + html_escape( + yaml.safe_dump( + data, explicit_start=True, indent=4, default_flow_style=False + ) + ) + + "" + ) elif data is None: if request.method == "DELETE" or "METHOD=DELETE" in request.query_string: body += "
deleted" @@ -186,7 +236,7 @@ def format(data, request, response, toke_info): if toke_info.get("username"): user_text += "user: {}".format(toke_info.get("username")) if toke_info.get("project_id"): - user_text += ", project: {}".format(toke_info.get("project_id")) + user_text += ", project: {}".format(toke_info.get("project_name")) return html_start.format(user_text) + body + html_end # yaml.safe_dump(data, explicit_start=True, indent=4, default_flow_style=False) # tags=False,