Remove the ability to past URLs in the submit page

This functionality had introduced a security vulnerability in lava-server.

A user can forge a http request that will force lava-server-gunicorn to return
any file on the server that is:
* readable by lavaserver
* valid yaml

This bug was found by running bandit (https://github.com/PyCQA/bandit).

Change-Id: Ie6876bbb4d8dad210d63d2655356bb863a592b41

1 files changed, 2 insertions, 5 deletions

diff --git a/lava_scheduler_app/templates/lava_scheduler_app/job_submit.html b/lava_scheduler_app/templates/lava_scheduler_app/job_submit.html
index 7068e68b5..9cfb137b3 100644
--- a/lava_scheduler_app/templates/lava_scheduler_app/job_submit.html
+++ b/lava_scheduler_app/templates/lava_scheduler_app/job_submit.html
@@ -45,12 +45,12 @@
 <p>To view the full job list click <a href="{{ list_url }}">here</a>.</p>
 
 {% else %}
-<p>Paste your job definition here. Alternatively, you can paste a URL to your job definition file.</p>
+<p>Paste your job definition here.</p>
 
 <form action="" method="post">
   {% csrf_token %}
   <div>
-    <textarea id="definition-input" name="definition-input" placeholder="Enter your job definition or link to a job definition here.">{{ definition_input }}</textarea>
+    <textarea id="definition-input" name="definition-input" placeholder="Enter your job definition here.">{{ definition_input }}</textarea>
     <div id="busyIndicator"></div>
     <div>
       <div id="valid_container">
@@ -80,9 +80,6 @@
 
 {% block scripts %}
 <script type="text/javascript" src="{{ STATIC_URL }}lava_scheduler_app/js/jquery-linedtextarea.min.js"></script>
-<script type="text/javascript">
-  var remote_definition_url = '{% url 'lava.scheduler.get_remote_definition' %}';
-</script>
 {% if not job_id %}
 <script type="text/javascript" src="{{ STATIC_URL }}lava_scheduler_app/js/job-submit.min.js"></script>
 {% endif %}