From: Dietmar Maurer <dietmar@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
Lorenz Stechauner <l.stechauner@proxmox.com>
Subject: Re: [pve-devel] [PATCH v2 pve-access-control] fix #1500: permission path syntax check for access control
Date: Mon, 19 Apr 2021 11:42:24 +0200 (CEST) [thread overview]
Message-ID: <911624573.3965.1618825344596@webmail.proxmox.com> (raw)
FYI, I do it without any regex in rust:
https://git.proxmox.com/?p=proxmox-backup.git;a=blob;f=src/config/acl.rs;h=61e507ec42bf5a30f64f56564a1fb107d148fb7b;hb=HEAD#l272
I guess this is faster (at least in rust).
> On 04/19/2021 9:16 AM Lorenz Stechauner <l.stechauner@proxmox.com> wrote:
>
>
> Syntax for permission paths is now checked on API calls for
> creation or update on permissions.
>
> Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
> ---
> Regex is now hardcoded,
> removed get_permission_paths,
> check_path does not call normalize_path anymore,
> indentation fix
>
> PVE/API2/ACL.pm | 4 ++++
> PVE/AccessControl.pm | 18 ++++++++++++++++++
> 2 files changed, 22 insertions(+)
>
> diff --git a/PVE/API2/ACL.pm b/PVE/API2/ACL.pm
> index c340267..857c672 100644
> --- a/PVE/API2/ACL.pm
> +++ b/PVE/API2/ACL.pm
> @@ -141,6 +141,10 @@ __PACKAGE__->register_method ({
> my $path = PVE::AccessControl::normalize_path($param->{path});
> raise_param_exc({ path => "invalid ACL path '$param->{path}'" }) if !$path;
>
> + if (!$param->{delete} && !PVE::AccessControl::check_path($path)) {
> + raise_param_exc({ path => "invalid ACL path '$param->{path}'" });
> + }
> +
> PVE::AccessControl::lock_user_config(
> sub {
>
> diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
> index 8b5be1e..4ef1080 100644
> --- a/PVE/AccessControl.pm
> +++ b/PVE/AccessControl.pm
> @@ -929,6 +929,24 @@ sub normalize_path {
> return $path;
> }
>
> +sub check_path {
> + return shift =~ m!^(
> + /
> + |/access
> + |/access/groups
> + |/access/realm
> + |/nodes
> + |/nodes/[[:alnum:]\.\-\_]+
> + |/pool
> + |/pool/[[:alnum:]\.\-\_]+
> + |/sdn
> + |/storage
> + |/storage/[[:alnum:]\.\-\_]+
> + |/vms
> + |/vms/\d{3,}
> + )$!xs;
> +}
> +
> PVE::JSONSchema::register_format('pve-groupid', \&verify_groupname);
> sub verify_groupname {
> my ($groupname, $noerr) = @_;
> --
> 2.20.1
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next reply other threads:[~2021-04-19 9:43 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-19 9:42 Dietmar Maurer [this message]
-- strict thread matches above, loose matches on Subject: below --
2021-04-19 7:16 Lorenz Stechauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=911624573.3965.1618825344596@webmail.proxmox.com \
--to=dietmar@proxmox.com \
--cc=l.stechauner@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.