From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 036F08A8EA for ; Wed, 27 Jul 2022 16:57:00 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id EDADE6FF3 for ; Wed, 27 Jul 2022 16:56:29 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 27 Jul 2022 16:56:28 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 1825543EE3 for ; Wed, 27 Jul 2022 16:56:28 +0200 (CEST) From: Stefan Sterz To: pve-devel@lists.proxmox.com Date: Wed, 27 Jul 2022 16:56:12 +0200 Message-Id: <20220727145612.451691-2-s.sterz@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220727145612.451691-1-s.sterz@proxmox.com> References: <20220727145612.451691-1-s.sterz@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.053 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH manager 2/2] api2: use JSONSchema to validate commands for "nodes/{node}/execute" X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2022 14:57:00 -0000 this also makes it more explicit what the different values should be Signed-off-by: Stefan Sterz --- not sure how sensible this is because most of the information here won't show up in the api viewer. i couldn't figure out how to make it show up and not make breaking changes to the endpoint or change how the api definition hash is handled. fabian gruenbichler and i also discussed off list that this is kind of redudant functionality as you can likely just call multiple api endpoints from whatever script/program/client you are using anyway instead of using this limited and flawed endpoint. perhaps the was a reason for this before tokens existed? so maybe we should either drop it in pve 8 or let it accept proper json not just "a string that when parsed as json needs to be of this format". i.e. accept an array of objects here instead of a string. it has also confused users in the past already, e.g. see: https://forum.proxmox.com/threads/execute-command-in-node-with-api.112290/ PVE/API2/Nodes.pm | 51 +++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 45 insertions(+), 6 deletions(-) diff --git a/PVE/API2/Nodes.pm b/PVE/API2/Nodes.pm index ef946301..5cc9111d 100644 --- a/PVE/API2/Nodes.pm +++ b/PVE/API2/Nodes.pm @@ -66,6 +66,49 @@ eval { use base qw(PVE::RESTHandler); +PVE::JSONSchema::register_format('pve-command-batch', \&verify_command_batch); +sub verify_command_batch { + my ($value, $noerr) = @_; + my $commands = eval { decode_json($value); }; + + return undef if $noerr && $@; + die "commands param did not contain valid JSON: $@" if $@; + + eval { + PVE::JSONSchema::validate($commands, { + description => "An array of objects describing endpoints, methods and arguments.", + type => "array", + items => { + type => "object", + properties => { + path => { + description => "A relative path to an API endpoint on this node.", + type => "string", + optional => 0, + }, + method => { + description => "A method related to the API endpoint (GET, POST etc.).", + type => "string", + pattern => "(GET|POST|PUT|DELETE)", + optional => 0, + }, + args => { + description => "A set of parameter names and their values.", + type => "object", + optional => 1, + }, + }, + } + }); + }; + + return $commands if !$@; + + return undef if $noerr; + + die "commands is not a valid array of commands: $@"; +} + __PACKAGE__->register_method ({ subclass => "PVE::API2::Qemu", path => 'qemu', @@ -433,6 +476,7 @@ __PACKAGE__->register_method({ commands => { description => "JSON encoded array of commands.", type => "string", + format => "pve-command-batch", } }, }, @@ -449,16 +493,11 @@ __PACKAGE__->register_method({ my $rpcenv = PVE::RPCEnvironment::get(); my $user = $rpcenv->get_user(); - + # just parse the json again, it should already be validated my $commands = eval { decode_json($param->{commands}); }; - die "commands param did not contain valid JSON: $@" if $@; - die "commands is not an array" if ref($commands) ne "ARRAY"; - foreach my $cmd (@$commands) { eval { - die "$cmd is not a valid command" if (ref($cmd) ne "HASH" || !$cmd->{path} || !$cmd->{method}); - $cmd->{args} //= {}; my $path = "nodes/$param->{node}/$cmd->{path}"; -- 2.30.2