From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id C2B96746A3 for ; Mon, 19 Apr 2021 09:17:35 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id AF52D11799 for ; Mon, 19 Apr 2021 09:17:05 +0200 (CEST) Received: from dana.proxmox.com (unknown [94.136.29.99]) by firstgate.proxmox.com (Proxmox) with ESMTP id C58F71178F for ; Mon, 19 Apr 2021 09:17:01 +0200 (CEST) Received: by dana.proxmox.com (Postfix, from userid 10037) id A27F61C4D4A; Mon, 19 Apr 2021 09:16:55 +0200 (CEST) From: Lorenz Stechauner To: pve-devel@lists.proxmox.com Date: Mon, 19 Apr 2021 09:16:28 +0200 Message-Id: <20210419071628.21006-1-l.stechauner@proxmox.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 2 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods NO_DNS_FOR_FROM 0.379 Envelope sender has no MX or A DNS records RDNS_NONE 1.274 Delivered to internal network by a host with no rDNS SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH v2 pve-access-control] fix #1500: permission path syntax check for access control X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Apr 2021 07:17:35 -0000 Syntax for permission paths is now checked on API calls for creation or update on permissions. Signed-off-by: Lorenz Stechauner --- Regex is now hardcoded, removed get_permission_paths, check_path does not call normalize_path anymore, indentation fix PVE/API2/ACL.pm | 4 ++++ PVE/AccessControl.pm | 18 ++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/PVE/API2/ACL.pm b/PVE/API2/ACL.pm index c340267..857c672 100644 --- a/PVE/API2/ACL.pm +++ b/PVE/API2/ACL.pm @@ -141,6 +141,10 @@ __PACKAGE__->register_method ({ my $path = PVE::AccessControl::normalize_path($param->{path}); raise_param_exc({ path => "invalid ACL path '$param->{path}'" }) if !$path; + if (!$param->{delete} && !PVE::AccessControl::check_path($path)) { + raise_param_exc({ path => "invalid ACL path '$param->{path}'" }); + } + PVE::AccessControl::lock_user_config( sub { diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm index 8b5be1e..4ef1080 100644 --- a/PVE/AccessControl.pm +++ b/PVE/AccessControl.pm @@ -929,6 +929,24 @@ sub normalize_path { return $path; } +sub check_path { + return shift =~ m!^( + / + |/access + |/access/groups + |/access/realm + |/nodes + |/nodes/[[:alnum:]\.\-\_]+ + |/pool + |/pool/[[:alnum:]\.\-\_]+ + |/sdn + |/storage + |/storage/[[:alnum:]\.\-\_]+ + |/vms + |/vms/\d{3,} + )$!xs; +} + PVE::JSONSchema::register_format('pve-groupid', \&verify_groupname); sub verify_groupname { my ($groupname, $noerr) = @_; -- 2.20.1