You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
First of all, thanks for all the work done on Netbox!
Custom script input is properly validated on the WebUI (with a Django form), but on the REST API side of the feature, there's just a JSONField that validates JSON well-formedness and... that's all.
This is a real issue when ObjectVar are used on the script, since we obtain a number or a string instead of the expected model instance in the data dictionary.
Netbox users seems mitigates the issue in various ways (as in #8344, #16255), which generally implies to use a non-declared script variable, or to check script variable types before using them.
In my opinion, there are two things to be done:
create a function similar to BaseScript.as_form(), which would return a proper Django Rest Framework serializer to validate the script input, and make it match the validation rules set in StringVar/ObjectVar/etc. on the Script object.
add a "api_lookup_field" property on ObjectVars, to allow developpers to change which model field will be used to find a given model instance. By default we should use the id field, but using the slug could be interesting in some cases.
I volunteer to implement this feature if considered relevant.
However, this is a breaking change: existing scripts could break once input validation is applied on the REST API.
Should we implement said validation? And should make API input validation optional to begin, and later make it mandatory?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
First of all, thanks for all the work done on Netbox!
Custom script input is properly validated on the WebUI (with a Django form), but on the REST API side of the feature, there's just a JSONField that validates JSON well-formedness and... that's all.
This is a real issue when ObjectVar are used on the script, since we obtain a number or a string instead of the expected model instance in the data dictionary.
Netbox users seems mitigates the issue in various ways (as in #8344, #16255), which generally implies to use a non-declared script variable, or to check script variable types before using them.
In my opinion, there are two things to be done:
idfield, but using theslugcould be interesting in some cases.I volunteer to implement this feature if considered relevant.
However, this is a breaking change: existing scripts could break once input validation is applied on the REST API.
Should we implement said validation? And should make API input validation optional to begin, and later make it mandatory?
Beta Was this translation helpful? Give feedback.
All reactions