nautobot icon indicating copy to clipboard operation
nautobot copied to clipboard

Published 20 hours ago verified publisher icon nautobot

Jobs with `has_sensitive_variables=True` can be scheduled and arguments stored in the database

Open gsnider2195 opened this issue 2 years ago • 0 comments

Environment

  • Python version: 3.7.13
  • Nautobot version: 1.3.10

The API and UI are relying on approval_required=True and has_sensitive_variables=True to be mutually exclusive in order to prevent these jobs from being scheduled in the future and potentially sensitive variables being stored in the database. However migration nautobot/extras/migrations/0035_scheduledjob_crontab.py to add the has_sensitive_variables field sets the default value to true, bypassing model validation and allowing jobs to have both of these variables set to true.

Job run validation in the UI and API is only failed if has_sensitive_variables=True AND the job is not scheduled for immediate execution. However a job can be set for immediate execution and have approval_required=True, requiring the job to be scheduled for later execution while awaiting approval.

Steps to Reproduce

  1. Start with nautobot v1.3.9
  2. Create a job with approval_required=True and enabled=True
  3. Upgrade to nautobot v1.3.10
  4. Try to run the job immediately

Expected Behavior

The job will not be scheduled because has_sensitive_variables=True

Observed Behavior

The job is scheduled because approval_required=True

gsnider2195 avatar Aug 12 '22 21:08 gsnider2195