From d8146636ea0cb3b325b9b7d14806e249c45e37b9 Mon Sep 17 00:00:00 2001 From: nogoodidea Date: Mon, 26 Feb 2024 19:15:27 -0500 Subject: [PATCH 1/9] added input valadation --- proxstar/__init__.py | 9 ++++++++- proxstar/static/js/script.js | 11 ++++++++++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/proxstar/__init__.py b/proxstar/__init__.py index f5a03b5..c72f0f5 100644 --- a/proxstar/__init__.py +++ b/proxstar/__init__.py @@ -412,6 +412,8 @@ def vm_renew(vmid): @app.route('/vm//disk/create/', methods=['POST']) @auth.oidc_auth def create_disk(vmid, size): + if(size =< 0):## are they trying to disk with zero size + return '', 400 user = User(session['userinfo']['preferred_username']) connect_proxmox() if user.rtp or int(vmid) in user.allowed_vms: @@ -589,8 +591,13 @@ def create(): name = request.form['name'].lower() cores = request.form['cores'] memory = request.form['mem'] - template = request.form['template'] disk = request.form['disk'] + ## CHECK STUFF DEAR GOD + if(int(cores) <= 0 or int(memory) <= 0 or int(disk) <= 0){ + return 'VM creation with cores and/or mem and/or disk values that are less than 0' 400 + } + + template = request.form['template'] iso = request.form['iso'] ssh_key = request.form['ssh_key'] if iso != 'none': diff --git a/proxstar/static/js/script.js b/proxstar/static/js/script.js index 6f61324..2e1708b 100644 --- a/proxstar/static/js/script.js +++ b/proxstar/static/js/script.js @@ -238,12 +238,21 @@ $("#create-vm").click(function(){ if (name && disk) { if (template != 'none' && !ssh_regex.test(ssh_key)) { swal("Uh oh...", "Invalid SSH key!", "error"); + // MAXIMUM BOUNDS CHECK } else if (disk > max_disk) { swal("Uh oh...", `You do not have enough disk resources available! Please lower the VM disk size to ${max_disk}GB or lower.`, "error"); } else if (template != 'none' && cores > max_cpu) { swal("Uh oh...", `You do not have enough CPU resources available! Please lower the VM cores to ${max_cpu} or lower.`, "error"); } else if (template != 'none' && mem/1024 > max_mem) { swal("Uh oh...", `You do not have enough memory resources available! Please lower the VM memory to ${max_mem}GB or lower.`, "error"); + // MINIMUM BOUNDS CHECK + else if(0 <= disk){ + swal("Uh oh...", `Selected disk size is less than 0.`,"error"); + }else if(0 <= cores){ + swal("Uh oh...", `Selected cores amount is less than 0.`,"error"); + }else if(0 <= mem){ + swal("Uh oh...", `Selected memory size is less than 0.`,"error"); + } } else { fetch(`/hostname/${name}`, { credentials: 'same-origin', @@ -1155,4 +1164,4 @@ $(".delete-disk").click(function(){ const vmid = $(this).data('vmid') const disk = $(this).data('disk') confirmDialog(`/vm/${vmid}/disk/${disk}/delete`, `Are you sure you want to delete ${disk}?`, "Delete", `Deleting ${disk}!`, `Unable to delete disk. Please try again later.`, `/vm/${vmid}`, true) -}); \ No newline at end of file +}); From 5c86afebbf4369ac4031681bc8247063c1e6bf20 Mon Sep 17 00:00:00 2001 From: nogoodidea Date: Mon, 26 Feb 2024 19:28:17 -0500 Subject: [PATCH 2/9] fixes lint error --- proxstar/__init__.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/proxstar/__init__.py b/proxstar/__init__.py index c72f0f5..5f6b362 100644 --- a/proxstar/__init__.py +++ b/proxstar/__init__.py @@ -412,8 +412,9 @@ def vm_renew(vmid): @app.route('/vm//disk/create/', methods=['POST']) @auth.oidc_auth def create_disk(vmid, size): - if(size =< 0):## are they trying to disk with zero size - return '', 400 + ## are they trying to disk with zero size + if(size =< 0): + return '', 400 user = User(session['userinfo']['preferred_username']) connect_proxmox() if user.rtp or int(vmid) in user.allowed_vms: From 693ddbc6f54e2f74dcd29895c5cf13c5b703cc38 Mon Sep 17 00:00:00 2001 From: nogoodidea Date: Mon, 26 Feb 2024 19:28:17 -0500 Subject: [PATCH 3/9] fixes lint error --- proxstar/__init__.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/proxstar/__init__.py b/proxstar/__init__.py index c72f0f5..5f6b362 100644 --- a/proxstar/__init__.py +++ b/proxstar/__init__.py @@ -412,8 +412,9 @@ def vm_renew(vmid): @app.route('/vm//disk/create/', methods=['POST']) @auth.oidc_auth def create_disk(vmid, size): - if(size =< 0):## are they trying to disk with zero size - return '', 400 + ## are they trying to disk with zero size + if(size =< 0): + return '', 400 user = User(session['userinfo']['preferred_username']) connect_proxmox() if user.rtp or int(vmid) in user.allowed_vms: From 86abbf59c38a977fee1a245fabee82ecf789ab17 Mon Sep 17 00:00:00 2001 From: nogoodidea Date: Mon, 26 Feb 2024 19:34:50 -0500 Subject: [PATCH 4/9] recall how python if statements work --- proxstar/__init__.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/proxstar/__init__.py b/proxstar/__init__.py index 5f6b362..ea5f97f 100644 --- a/proxstar/__init__.py +++ b/proxstar/__init__.py @@ -413,7 +413,7 @@ def vm_renew(vmid): @auth.oidc_auth def create_disk(vmid, size): ## are they trying to disk with zero size - if(size =< 0): + if size <= 0: return '', 400 user = User(session['userinfo']['preferred_username']) connect_proxmox() @@ -594,7 +594,7 @@ def create(): memory = request.form['mem'] disk = request.form['disk'] ## CHECK STUFF DEAR GOD - if(int(cores) <= 0 or int(memory) <= 0 or int(disk) <= 0){ + if int(cores) <= 0 or int(memory) <= 0 or int(disk) <= 0{ return 'VM creation with cores and/or mem and/or disk values that are less than 0' 400 } From bbf9fdbac509c757149519afc28d5da7dc8958cd Mon Sep 17 00:00:00 2001 From: nogoodidea Date: Mon, 26 Feb 2024 19:37:42 -0500 Subject: [PATCH 5/9] I hate python i hate python i hate python --- proxstar/__init__.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/proxstar/__init__.py b/proxstar/__init__.py index ea5f97f..770cf58 100644 --- a/proxstar/__init__.py +++ b/proxstar/__init__.py @@ -594,9 +594,8 @@ def create(): memory = request.form['mem'] disk = request.form['disk'] ## CHECK STUFF DEAR GOD - if int(cores) <= 0 or int(memory) <= 0 or int(disk) <= 0{ + if int(cores) <= 0 or int(memory) <= 0 or int(disk) <= 0: return 'VM creation with cores and/or mem and/or disk values that are less than 0' 400 - } template = request.form['template'] iso = request.form['iso'] From 007f1001dabb7c070bceea7af880ccbe20a57b03 Mon Sep 17 00:00:00 2001 From: nogoodidea Date: Mon, 26 Feb 2024 19:39:41 -0500 Subject: [PATCH 6/9] hopefully work --- proxstar/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proxstar/__init__.py b/proxstar/__init__.py index 770cf58..9a95e26 100644 --- a/proxstar/__init__.py +++ b/proxstar/__init__.py @@ -595,7 +595,7 @@ def create(): disk = request.form['disk'] ## CHECK STUFF DEAR GOD if int(cores) <= 0 or int(memory) <= 0 or int(disk) <= 0: - return 'VM creation with cores and/or mem and/or disk values that are less than 0' 400 + return 'VM creation with cores and/or mem and/or disk values that are less than 0', 400 template = request.form['template'] iso = request.form['iso'] From e754087285117beb5344e4bd08d1d695128b2483 Mon Sep 17 00:00:00 2001 From: nogoodidea Date: Mon, 26 Feb 2024 19:45:46 -0500 Subject: [PATCH 7/9] ran linter localy --- proxstar/__init__.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/proxstar/__init__.py b/proxstar/__init__.py index 9a95e26..36020df 100644 --- a/proxstar/__init__.py +++ b/proxstar/__init__.py @@ -595,7 +595,10 @@ def create(): disk = request.form['disk'] ## CHECK STUFF DEAR GOD if int(cores) <= 0 or int(memory) <= 0 or int(disk) <= 0: - return 'VM creation with cores and/or mem and/or disk values that are less than 0', 400 + return ( + 'VM creation with cores and/or mem and/or disk values that are less than 0', + 400, + ) template = request.form['template'] iso = request.form['iso'] From 4f5753aec5f7a12ee1b97a9cfed85f362788d206 Mon Sep 17 00:00:00 2001 From: nogoodidea Date: Mon, 26 Feb 2024 20:29:53 -0500 Subject: [PATCH 8/9] moves user valadation to check --- proxstar/__init__.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/proxstar/__init__.py b/proxstar/__init__.py index 36020df..6cc3130 100644 --- a/proxstar/__init__.py +++ b/proxstar/__init__.py @@ -593,8 +593,9 @@ def create(): cores = request.form['cores'] memory = request.form['mem'] disk = request.form['disk'] + username = request.form['user'] ## CHECK STUFF DEAR GOD - if int(cores) <= 0 or int(memory) <= 0 or int(disk) <= 0: + if int(cores) <= 0 or int(memory) <= 0 or int(disk) <= 0 or user == '': return ( 'VM creation with cores and/or mem and/or disk values that are less than 0', 400, @@ -613,7 +614,6 @@ def create(): username = user.name else: usage_check = None - username = request.form['user'] if usage_check: return usage_check else: @@ -646,7 +646,6 @@ def create(): ) return '', 200 return '', 200 - return None else: return '', 403 From 1ca123b6126c6054638c198b0065514f4b14b4cd Mon Sep 17 00:00:00 2001 From: nogoodidea Date: Mon, 26 Feb 2024 20:39:32 -0500 Subject: [PATCH 9/9] split into 2 functions --- proxstar/__init__.py | 153 ++++++++++++++++++++++--------------------- 1 file changed, 80 insertions(+), 73 deletions(-) diff --git a/proxstar/__init__.py b/proxstar/__init__.py index 6cc3130..8fa27a9 100644 --- a/proxstar/__init__.py +++ b/proxstar/__init__.py @@ -566,86 +566,93 @@ def set_boot_order(vmid): return '', 403 -@app.route('/vm/create', methods=['GET', 'POST']) +@app.route('/vm/create', methods=['GET']) @auth.oidc_auth -def create(): +def get_create(): user = User(session['userinfo']['preferred_username']) proxmox = connect_proxmox() if user.active or user.rtp: - if request.method == 'GET': - stored_isos = get_isos(proxmox, app.config['PROXMOX_ISO_STORAGE']) - pools = get_pools(proxmox, db) - for pool in get_shared_pools(db, user.name, True): - pools.append(pool.name) - templates = get_templates(db) - return render_template( - 'create_vm.html', - user=user, - usage=user.usage, - limits=user.limits, - percents=user.usage_percent, - isos=stored_isos, - pools=pools, - templates=templates, + stored_isos = get_isos(proxmox, app.config['PROXMOX_ISO_STORAGE']) + pools = get_pools(proxmox, db) + for pool in get_shared_pools(db, user.name, True): + pools.append(pool.name) + templates = get_templates(db) + return render_template( + 'create_vm.html', + user=user, + usage=user.usage, + limits=user.limits, + percents=user.usage_percent, + isos=stored_isos, + pools=pools, + templates=templates, + ) + else: + return '', 403 + + +@app.route('/vm/create', methods=['POST']) +@auth.oidc_auth +def create(): + user = User(session['userinfo']['preferred_username']) + if user.active or user.rtp: + name = request.form['name'].lower() + cores = request.form['cores'] + memory = request.form['mem'] + disk = request.form['disk'] + username = request.form['user'] + ## CHECK STUFF DEAR GOD + if int(cores) <= 0 or int(memory) <= 0 or int(disk) <= 0 or user == '': + return ( + 'VM creation with cores and/or mem and/or disk values that are less than 0', + 400, + ) + + template = request.form['template'] + iso = request.form['iso'] + ssh_key = request.form['ssh_key'] + if iso != 'none': + iso = '{}:iso/{}'.format(app.config['PROXMOX_ISO_STORAGE'], iso) + if not user.rtp: + if template == 'none': + usage_check = user.check_usage(0, 0, disk) + else: + usage_check = user.check_usage(cores, memory, disk) + username = user.name + else: + usage_check = None + if usage_check: + return usage_check + else: + valid, available = ( + check_hostname(starrs, name) if app.config['USE_STARRS'] else (True, True) ) - elif request.method == 'POST': - name = request.form['name'].lower() - cores = request.form['cores'] - memory = request.form['mem'] - disk = request.form['disk'] - username = request.form['user'] - ## CHECK STUFF DEAR GOD - if int(cores) <= 0 or int(memory) <= 0 or int(disk) <= 0 or user == '': - return ( - 'VM creation with cores and/or mem and/or disk values that are less than 0', - 400, - ) - - template = request.form['template'] - iso = request.form['iso'] - ssh_key = request.form['ssh_key'] - if iso != 'none': - iso = '{}:iso/{}'.format(app.config['PROXMOX_ISO_STORAGE'], iso) - if not user.rtp: + + if valid and available: if template == 'none': - usage_check = user.check_usage(0, 0, disk) + q.enqueue( + create_vm_task, + username, + name, + cores, + memory, + disk, + iso, + job_timeout=300, + ) else: - usage_check = user.check_usage(cores, memory, disk) - username = user.name - else: - usage_check = None - if usage_check: - return usage_check - else: - valid, available = ( - check_hostname(starrs, name) if app.config['USE_STARRS'] else (True, True) - ) - - if valid and available: - if template == 'none': - q.enqueue( - create_vm_task, - username, - name, - cores, - memory, - disk, - iso, - job_timeout=300, - ) - else: - q.enqueue( - setup_template_task, - template, - name, - username, - ssh_key, - cores, - memory, - job_timeout=600, - ) - return '', 200 - return '', 200 + q.enqueue( + setup_template_task, + template, + name, + username, + ssh_key, + cores, + memory, + job_timeout=600, + ) + return '', 200 + return '', 200 else: return '', 403