コード例 #1
0
ファイル: routes.py プロジェクト: pombredanne/vulncode-db
def vuln_review(vcdb_id, vuln_id):
    vulnerability_details = get_vulnerability_details(vcdb_id, simplify_id=False)
    vuln = vulnerability_details.get_or_create_vulnerability()

    proposal_vulnerability_details = get_vulnerability_details(
        None, vuln_id=vuln_id, simplify_id=False
    )
    proposal_vuln = proposal_vulnerability_details.get_or_create_vulnerability()

    ensure(READ, proposal_vuln)

    form_reject = VulnerabilityProposalReject()
    form_approve = VulnerabilityProposalApprove()
    form_assign = VulnerabilityProposalAssign()
    form_unassign = VulnerabilityProposalUnassign()
    form_publish = VulnerabilityProposalPublish()

    if request.method == "POST":
        if (
            request.form["review_response"] == "assign"
            and form_assign.validate_on_submit()
        ):
            ensure(ASSIGN, proposal_vuln)
            if proposal_vuln.is_reviewable:
                proposal_vuln.accept_review(g.user)
                db.session.add(proposal_vuln)
                db.session.commit()
                flash("The review was successfully assigned to you.", "success")
                return redirect(request.url)

            flash_error("This entry is not in a reviewable state.")

        if (
            request.form["review_response"] == "unassign"
            and form_unassign.validate_on_submit()
        ):
            ensure(ASSIGN, proposal_vuln)
            if proposal_vuln.is_reviewer(g.user):
                proposal_vuln.deny_review()
                db.session.add(proposal_vuln)
                db.session.commit()
                flash(
                    "You successfully unassigned yourself from this review.", "success"
                )
                return redirect(request.url)

            flash_error("This entry is not assigned to you.")

        if (
            request.form["review_response"] == "approve"
            and form_approve.validate_on_submit()
        ):
            ensure(APPROVE, proposal_vuln)
            proposal_vuln.accept_change()
            db.session.add(proposal_vuln)
            db.session.commit()
            flash(
                "You approved the proposal. "
                "Waiting for the entry to be published by an admin.",
                "success",
            )
            return redirect(request.url)

        if (
            request.form["review_response"] == "reject"
            and form_reject.validate_on_submit()
        ):
            ensure(REJECT, proposal_vuln)
            proposal_vuln.deny_change(g.user, form_reject.data["review_feedback"])
            db.session.add(proposal_vuln)
            db.session.commit()
            flash("Waiting for the author to address your feedback.", "success")
            return redirect(request.url)

        if (
            request.form["review_response"] == "publish"
            and form_publish.validate_on_submit()
        ):
            ensure("PUBLISH", proposal_vuln)
            proposal_vuln.publish_change()
            db.session.add(proposal_vuln)
            db.session.commit()
            # This might be the first entry of its kind
            # so no archiving is necessary.
            if vuln.state:
                vuln.archive_entry()
                db.session.add(vuln)
                db.session.commit()
            flash("Entry was successfully published.", "success")
            return redirect(request.url)

    # Published entries can't be reviewed.
    # if view.state == VulnerabilityState.PUBLISHED:
    #    raise RequestRedirect("/" + str(vcdb_id))
    return render_template(
        "vulnerability/review/review.html",
        proposal_vulnerability_details=proposal_vulnerability_details,
        vulnerability_details=vulnerability_details,
        form_assign=form_assign,
        form_unassign=form_unassign,
        form_reject=form_reject,
        form_approve=form_approve,
        form_publish=form_publish,
    )
コード例 #2
0
def vuln_review(vcdb_id, vuln_id):
    vulnerability_details = _get_vulnerability_details(vcdb_id,
                                                       simplify_id=False)
    view = vulnerability_details.vulnerability_view
    vuln = vulnerability_details.get_or_create_vulnerability()

    proposal_vulnerability_details = _get_vulnerability_details(
        None, vuln_id=vuln_id, simplify_id=False)
    proposal_view = proposal_vulnerability_details.vulnerability_view
    proposal_vuln = proposal_vulnerability_details.get_or_create_vulnerability(
    )

    form_reject = VulnerabilityProposalReject()
    form_approve = VulnerabilityProposalApprove()
    form_assign = VulnerabilityProposalAssign()
    form_publish = VulnerabilityProposalPublish()

    if request.method == 'POST':
        # TODO: Add proper ACL changes to all actions here.
        if request.form[
                "review_response"] == "assign" and form_assign.validate_on_submit(
                ):
            ensure('ASSIGN', proposal_vuln)
            if proposal_vuln.is_reviewable():
                proposal_vuln.accept_review(g.user)
                db.session.add(proposal_vuln)
                db.session.commit()
                flash("The review was successfully assigned to you.",
                      "success")
                return redirect(request.url)
            else:
                flash_error("This entry is not in a reviewable state.")

        if request.form[
                "review_response"] == "approve" and form_approve.validate_on_submit(
                ):
            ensure('APRROVE', proposal_vuln)
            proposal_vuln.accept_change()
            db.session.add(proposal_vuln)
            db.session.commit()
            flash(
                "You approved the proposal. Waiting for the entry to be published by an admin.",
                "success")
            return redirect(request.url)

        if request.form[
                "review_response"] == "reject" and form_reject.validate_on_submit(
                ):
            ensure('REJECT', proposal_vuln)
            proposal_vuln.deny_change(form_reject.data["review_feedback"])
            db.session.add(proposal_vuln)
            db.session.commit()
            flash("Waiting for the author to address your feedback.",
                  "success")
            return redirect(request.url)

        if request.form[
                "review_response"] == "publish" and form_publish.validate_on_submit(
                ):
            ensure('PUBLISH', proposal_vuln)
            proposal_vuln.publish_change()
            db.session.add(proposal_vuln)
            vuln.archive_entry()
            db.session.add(vuln)
            db.session.commit()
            flash("Entry was successfully published.", "success")
            return redirect(request.url)

    # Published entries can't be reviewed.
    # if view.state == VulnerabilityState.PUBLISHED:
    #    raise RequestRedirect("/" + str(vcdb_id))
    return render_template(
        "vulnerability/review.html",
        proposal_vulnerability_details=proposal_vulnerability_details,
        vulnerability_details=vulnerability_details,
        form_assign=form_assign,
        form_reject=form_reject,
        form_approve=form_approve,
        form_publish=form_publish)