From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with UTF8SMTPS id 929AA7840B for ; Thu, 29 Apr 2021 16:02:29 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with UTF8SMTP id 81BB91E1DB for ; Thu, 29 Apr 2021 16:01:59 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with UTF8SMTPS id E7FFB1E1CF for ; Thu, 29 Apr 2021 16:01:58 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with UTF8SMTP id A30774644B; Thu, 29 Apr 2021 16:01:58 +0200 (CEST) Message-ID: <01194e1a-2b5c-6c9b-818a-f15694d91a70@proxmox.com> Date: Thu, 29 Apr 2021 16:01:57 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Thunderbird/88.0 Content-Language: en-US To: Thomas Lamprecht , Proxmox VE development discussion , Lorenz Stechauner References: <20210428141346.240896-1-l.stechauner@proxmox.com> <20210428141346.240896-2-l.stechauner@proxmox.com> <9daaf9f5-e310-b452-6ba7-10623e2bfdf6@proxmox.com> From: Dominik Csapak In-Reply-To: <9daaf9f5-e310-b452-6ba7-10623e2bfdf6@proxmox.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.003 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -0.001 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH storage 1/1] fix #1710: add retrieve method for storage X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Apr 2021 14:02:29 -0000 On 4/29/21 15:22, Thomas Lamprecht wrote: > On 29.04.21 13:54, Dominik Csapak wrote: >> On 4/28/21 16:13, Lorenz Stechauner wrote: >>>   +__PACKAGE__->register_method({ >>> +    name => 'retrieve', >>> +    path => '{storage}/retrieve', >>> +    method => 'POST', >>> +    description => "Download templates and ISO images by using an URL.", >>> +    permissions => { >>> +    check => ['perm', '/storage/{storage}', ['Datastore.AllocateTemplate']], >>> +    }, >>> +    protected => 1, >>> +    parameters => { >>> +    additionalProperties => 0, >>> +    properties => { >>> +        node => get_standard_option('pve-node'), >>> +        storage => get_standard_option('pve-storage-id'), >>> +        url => { >>> +        description => "The URL to retrieve the file from.", >>> +        type => 'string', >>> +        }, >> >> i am not quite sure if it is a good idea to have this feature >> unrestricted for everybody who can download a template >> >> it possibly gives access to an internal network to which >> the users does not have access otherwise... >> >> maybe we want to give the admin control over allow- and/or blocklists ? > > I do not want such lists, PITA to manage for everybody. understandable, was just the first thing that came to my mind > > Maybe we can just allow it only for users with Sys.Modify + Sys.Audit on / ? > > We could also enforce that it needs to be a hostname (no IP) and/or resolve > to something out of the priv. network ranges, at least if the aforementioned > privs are not set. yes, sounds good, but then we have to disallow redirects > > Another idea would be enforcing the URL to match something like /\.(iso|img)$/ > and being not to informative on errors to avoid allowing to see which hsot are > on/off line in a network. With that one could make this pretty safe I think. mhmm.. could work, but then we'd have to use a fixed timeout (like on authentication) to avoid timing based probes > > >> >>> +        insecure => { >>> +        description => "Allow TLS certificates to be invalid.", >>> +        type => 'boolean', >>> +        optional => 1, >>> +        } > +    }, >>> +    }, >>> +    returns => { >>> +    type => "object", >>> +    properties => { >>> +        filename => { type => 'string' }, >>> +        upid => { type => 'string' }, >>> +        size => { >>> +        type => 'integer', >>> +        renderer => 'bytes', >>> +        }, >>> +    }, >>> +    }, >>> +    code => sub { >>> +    my ($param) = @_; >>> + >>> +    my @hash_algs = ['md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512']; >> >> as written above, can be handled by api > > and could be actually auto-detected too, at least optionally? All those are pretty > much unique already in length, IIRC. >