|
Fix the WAF User-Agent gap: the two pynetbox importers could never write upstream
A C2 blocker, measured 2026-07-14: upstream netbox.baldurkeep.com 403s the default Python User-Agent (references/platform-traps.md) -- curl->200, urllib/pynetbox->403. The stdlib tools (prod-draft-dump/sandbox-seed/d115-office-carve) already send an accepted UA, but roles-aggregates-import.py and dc-dc-prefixes-import.py built pynetbox.api() with the DEFAULT UA and never overrode it. So they would 403 against upstream -- they could only ever have written to the WAF-less sandbox, never to the apex C2 must feed. The gap was invisible because every real run so far hit the sandbox. Fix: get_nb() sets nb.http_session.headers["User-Agent"] = "curl/8.5.0" in both (same value/rationale as the stdlib tools; pynetbox exposes its requests.Session). Tests: prefixes-import 85->86 (the fake now has .http_session; the UA is asserted at RUNTIME, not by source grep). roles-aggregates 19->20. GAUNTLET ALL GREEN (58). Still open for C2 (logged in the changelog): pynetbox is NOT on vcloud, so the two importers must run on office1-netbox (has pynetbox 7.0.0); the sandbox re-verify needs the operator-held token; the upstream write stays operator-gated. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
|---|
|
|
| docs/changelog-20260714-netbox-importers-waf-useragent.md 0 → 100644 |
|---|
| netbox/dc-dc-prefixes-import.py |
|---|
| netbox/roles-aggregates-import.py |
|---|
| tests/dc-dc-prefixes-import/fake_pynetbox.py |
|---|
| tests/dc-dc-prefixes-import/test_logic.py |
|---|
| tests/roles-aggregates-import/run-tests.sh |
|---|