From 8ad5670eebeeb41a9bc2aca8d419d6b434ab1b48 Mon Sep 17 00:00:00 2001 From: Julien Duponchelle Date: Fri, 18 Nov 2016 16:38:27 +0100 Subject: [PATCH] For security reason debug informations can only be exported from local server Ref #1562 --- gns3server/handlers/api/controller/server_handler.py | 6 +++++- tests/handlers/api/controller/test_server.py | 9 +++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/gns3server/handlers/api/controller/server_handler.py b/gns3server/handlers/api/controller/server_handler.py index 965eae70..14b0c566 100644 --- a/gns3server/handlers/api/controller/server_handler.py +++ b/gns3server/handlers/api/controller/server_handler.py @@ -120,12 +120,16 @@ class ServerHandler: @Route.post( r"/debug", - description="Dump debug informations to disk (debug directory in config directory)", + description="Dump debug informations to disk (debug directory in config directory). Work only for local server", status_codes={ 201: "Writed" }) def debug(request, response): + config = Config.instance() + if config.get_section_config("Server").getboolean("local", False) is False: + raise HTTPForbidden(text="You can only debug a local server") + debug_dir = os.path.join(config.config_dir, "debug") try: if os.path.exists(debug_dir): diff --git a/tests/handlers/api/controller/test_server.py b/tests/handlers/api/controller/test_server.py index ce0a0657..b4f10bc4 100644 --- a/tests/handlers/api/controller/test_server.py +++ b/tests/handlers/api/controller/test_server.py @@ -56,8 +56,17 @@ def test_shutdown_non_local(http_controller, web_server, config): def test_debug(http_controller, config, tmpdir): config._main_config_file = str(tmpdir / "test.conf") + config.set("Server", "local", True) response = http_controller.post('/debug') assert response.status == 201 debug_dir = os.path.join(config.config_dir, "debug") assert os.path.exists(debug_dir) assert os.path.exists(os.path.join(debug_dir, "controller.txt")) + + +def test_debug_non_local(http_controller, config, tmpdir): + config._main_config_file = str(tmpdir / "test.conf") + + config.set("Server", "local", False) + response = http_controller.post('/debug') + assert response.status == 403