From ac201314adae549115506023dce7828de71ef8cf Mon Sep 17 00:00:00 2001 From: Peter Hansen Date: Sat, 28 Dec 2019 11:40:04 +0100 Subject: [PATCH] + add blacklist for commands to config + custom start page with DEFAULT_TEMPLATE --- lg.py | 42 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/lg.py b/lg.py index b8f829c..101b5ac 100644 --- a/lg.py +++ b/lg.py @@ -37,7 +37,7 @@ from toolbox import mask_is_valid, ipv6_is_valid, ipv4_is_valid, resolve, save_c import pydot -from flask import Flask, render_template, jsonify, redirect, session, request, abort, Response, Markup +from flask import Flask, render_template, render_template_string, jsonify, redirect, session, request, abort, Response, Markup app = Flask(__name__) app.config.from_pyfile('lg.cfg') @@ -171,6 +171,8 @@ def inject_commands(): ("adv", "show route ..."), ("adv_bgpmap", "show route ... (bgpmap)"), ] + + commands = [i for i in commands if i[0] not in app.config.get("BLACKLIST_COMMANDS", [])] commands_dict = {} for id, text in commands: commands_dict[id] = text @@ -184,6 +186,12 @@ def inject_all_host(): @app.route("/") def hello(): + if app.config.get("DEFAULT_TEMPLATE", False): + first_command = next(iter(inject_commands()['commands_dict'])) + set_session(first_command, "+".join(app.config["PROXY"].keys()), "ipv4", "") + with open(app.config.get("DEFAULT_TEMPLATE"), 'r') as filehandle: + filecontent = filehandle.read() + return render_template_string(filecontent) return redirect("/summary/%s/ipv4" % "+".join(app.config["PROXY"].keys())) @@ -227,6 +235,8 @@ SUMMARY_UNWANTED_PROTOS = ["Kernel", "Static", "Device"] @app.route("/summary/") @app.route("/summary//") def summary(hosts, proto="ipv4"): + if 'summary' not in iter(inject_commands()['commands_dict']): + return render_template('error.html', errors=["Access denied"]), 403 set_session("summary", hosts, proto, "") command = "show protocols" @@ -269,6 +279,9 @@ def summary(hosts, proto="ipv4"): @app.route("/detail//") def detail(hosts, proto): + if 'detail' not in iter(inject_commands()['commands_dict']): + return render_template('error.html', errors=["Access denied"]), 403 + name = get_query() if not name: @@ -298,6 +311,9 @@ def detail(hosts, proto): @app.route("/traceroute//") def traceroute(hosts, proto): + if 'traceroute' not in iter(inject_commands()['commands_dict']): + return render_template('error.html', errors=["Access denied"]), 403 + q = get_query() if not q: @@ -331,41 +347,65 @@ def traceroute(hosts, proto): @app.route("/adv//") def show_route_filter(hosts, proto): + if 'adv' not in iter(inject_commands()['commands_dict']): + return render_template('error.html', errors=["Access denied"]), 403 + return show_route("adv", hosts, proto) @app.route("/adv_bgpmap//") def show_route_filter_bgpmap(hosts, proto): + if 'adv_bgpmap' not in iter(inject_commands()['commands_dict']): + return render_template('error.html', errors=["Access denied"]), 403 + return show_route("adv_bgpmap", hosts, proto) @app.route("/where//") def show_route_where(hosts, proto): + if 'where' not in iter(inject_commands()['commands_dict']): + return render_template('error.html', errors=["Access denied"]), 403 + return show_route("where", hosts, proto) @app.route("/where_detail//") def show_route_where_detail(hosts, proto): + if 'where_detail' not in iter(inject_commands()['commands_dict']): + return render_template('error.html', errors=["Access denied"]), 403 + return show_route("where_detail", hosts, proto) @app.route("/where_bgpmap//") def show_route_where_bgpmap(hosts, proto): + if 'where_bgpmap' not in iter(inject_commands()['commands_dict']): + return render_template('error.html', errors=["Access denied"]), 403 + return show_route("where_bgpmap", hosts, proto) @app.route("/prefix//") def show_route_for(hosts, proto): + if 'prefix' not in iter(inject_commands()['commands_dict']): + return render_template('error.html', errors=["Access denied"]), 403 + return show_route("prefix", hosts, proto) @app.route("/prefix_detail//") def show_route_for_detail(hosts, proto): + if 'prefix_detail' not in iter(inject_commands()['commands_dict']): + return render_template('error.html', errors=["Access denied"]), 403 + return show_route("prefix_detail", hosts, proto) @app.route("/prefix_bgpmap//") def show_route_for_bgpmap(hosts, proto): + if 'prefix_bgpmap' not in iter(inject_commands()['commands_dict']): + return render_template('error.html', errors=["Access denied"]), 403 + return show_route("prefix_bgpmap", hosts, proto)