Custom scripts input validation on REST API route

[monnierj]

First of all, thanks for all the work done on Netbox!

Custom script input is properly validated on the WebUI (with a Django form), but on the REST API side of the feature, there's just a JSONField that validates JSON well-formedness and... that's all.

This is a real issue when ObjectVar are used on the script, since we obtain a number or a string instead of the expected model instance in the data dictionary.

Netbox users seems mitigates the issue in various ways (as in #8344, #16255), which generally implies to use a non-declared script variable, or to check script variable types before using them.

In my opinion, there are two things to be done:

• create a function similar to BaseScript.as_form(), which would return a proper Django Rest Framework serializer to validate the script input, and make it match the validation rules set in StringVar/ObjectVar/etc. on the Script object.
• add a "api_lookup_field" property on ObjectVars, to allow developpers to change which model field will be used to find a given model instance. By default we should use the id field, but using the slug could be interesting in some cases.

I volunteer to implement this feature if considered relevant.

However, this is a breaking change: existing scripts could break once input validation is applied on the REST API.

Should we implement said validation? And should make API input validation optional to begin, and later make it mandatory?

[matejv]

I'm also interested in running custom scripts via API and also see the current functionality as lacking.

There might be also a third way:

In ScriptInputSerializer you could validate data by calling script.as_form() and pass input data then return form.cleaned_data and it will be passed to script. There would be a bit more work to transform any form validation errors in proper Django Rest Framework errors, but that should not be difficult. There is a similar approach in runscript CLI command.

It feels a bit wrong to use django forms in django rest framework, but I think this approach would be by far the simplest.

This is a quick & dirty hack to illustrate what I ment:

diff --git a/netbox/extras/api/serializers_/scripts.py b/netbox/extras/api/serializers_/scripts.py
index 897ccf966..6486e2f41 100644
--- a/netbox/extras/api/serializers_/scripts.py
+++ b/netbox/extras/api/serializers_/scripts.py
@@ -65,6 +65,14 @@ class ScriptInputSerializer(serializers.Serializer):
     schedule_at = serializers.DateTimeField(required=False, allow_null=True)
     interval = serializers.IntegerField(required=False, allow_null=True)
 
+    def validate_data(self, value):
+        script = self.context['script'].python_class
+        script = script()
+        form = script.as_form(value, None)
+        if not form.is_valid():
+            raise serializers.ValidationError(form.errors.get_json_data())
+        return form.cleaned_data
+
     def validate_schedule_at(self, value):
         if value and not self.context['script'].scheduling_enabled:
             raise serializers.ValidationError(_("Scheduling is not enabled for this script."))