From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id C9C731FF16F for ; Fri, 15 Nov 2024 16:18:39 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id BCD4B17EE8; Fri, 15 Nov 2024 16:18:00 +0100 (CET) From: Dominik Csapak To: pve-devel@lists.proxmox.com Date: Fri, 15 Nov 2024 16:17:31 +0100 Message-Id: <20241115151749.633407-10-d.csapak@proxmox.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241115151749.633407-1-d.csapak@proxmox.com> References: <20241115151749.633407-1-d.csapak@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.016 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH storage v6 09/12] api: allow ova upload/download X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" introducing a separate regex that only contains ova, since upload/downloading ovfs does not make sense (since the disks are then missing). Add a sanity check after up/downloading the ova file (and delete if it does not match). Signed-off-by: Dominik Csapak --- changes from v2: * add sanity check for ova content after up/downloading src/PVE/API2/Storage/Status.pm | 69 +++++++++++++++++++++++++++++++--- src/PVE/Storage.pm | 11 ++++++ 2 files changed, 75 insertions(+), 5 deletions(-) diff --git a/src/PVE/API2/Storage/Status.pm b/src/PVE/API2/Storage/Status.pm index bdf1c18..8bbb5a7 100644 --- a/src/PVE/API2/Storage/Status.pm +++ b/src/PVE/API2/Storage/Status.pm @@ -41,6 +41,24 @@ __PACKAGE__->register_method ({ path => '{storage}/file-restore', }); +my sub assert_ova_contents { + my ($file) = @_; + + # test if it's really a tar file with an ovf file inside + my $hasOvf = 0; + run_command(['tar', '-t', '-f', $file], outfunc => sub { + my ($line) = @_; + + if ($line =~ m/\.ovf$/) { + $hasOvf = 1; + } + }); + + die "ova archive has no .ovf file inside\n" if !$hasOvf; + + return undef; +}; + __PACKAGE__->register_method ({ name => 'index', path => '', @@ -369,7 +387,7 @@ __PACKAGE__->register_method ({ name => 'upload', path => '{storage}/upload', method => 'POST', - description => "Upload templates and ISO images.", + description => "Upload templates, ISO images and OVAs.", permissions => { check => ['perm', '/storage/{storage}', ['Datastore.AllocateTemplate']], }, @@ -382,7 +400,7 @@ __PACKAGE__->register_method ({ content => { description => "Content type.", type => 'string', format => 'pve-storage-content', - enum => ['iso', 'vztmpl'], + enum => ['iso', 'vztmpl', 'import'], }, filename => { description => "The name of the file to create. Caution: This will be normalized!", @@ -437,6 +455,7 @@ __PACKAGE__->register_method ({ my $filename = PVE::Storage::normalize_content_filename($param->{filename}); my $path; + my $isOva = 0; if ($content eq 'iso') { if ($filename !~ m![^/]+$PVE::Storage::ISO_EXT_RE_0$!) { @@ -448,6 +467,16 @@ __PACKAGE__->register_method ({ raise_param_exc({ filename => "wrong file extension" }); } $path = PVE::Storage::get_vztmpl_dir($cfg, $param->{storage}); + } elsif ($content eq 'import') { + if ($filename !~ m!${PVE::Storage::SAFE_CHAR_CLASS_RE}+$PVE::Storage::UPLOAD_IMPORT_EXT_RE_1$!) { + raise_param_exc({ filename => "invalid filename or wrong extension" }); + } + + if ($filename =~ m/\.ova$/) { + $isOva = 1; + } + + $path = PVE::Storage::get_import_dir($cfg, $param->{storage}); } else { raise_param_exc({ content => "upload content type '$content' not allowed" }); } @@ -510,6 +539,10 @@ __PACKAGE__->register_method ({ die "checksum mismatch: got '$checksum_got' != expect '$checksum'\n"; } } + + if ($isOva) { + assert_ova_contents($tmpfilename); + } }; if (my $err = $@) { # unlinks only the temporary file from the http server @@ -544,7 +577,7 @@ __PACKAGE__->register_method({ name => 'download_url', path => '{storage}/download-url', method => 'POST', - description => "Download templates and ISO images by using an URL.", + description => "Download templates, ISO images and OVAs by using an URL.", proxyto => 'node', permissions => { description => 'Requires allocation access on the storage and as this allows one to probe' @@ -572,7 +605,7 @@ __PACKAGE__->register_method({ content => { description => "Content type.", # TODO: could be optional & detected in most cases type => 'string', format => 'pve-storage-content', - enum => ['iso', 'vztmpl'], + enum => ['iso', 'vztmpl', 'import'], }, filename => { description => "The name of the file to create. Caution: This will be normalized!", @@ -632,6 +665,8 @@ __PACKAGE__->register_method({ my $filename = PVE::Storage::normalize_content_filename($param->{filename}); my $path; + my $isOva = 0; + if ($content eq 'iso') { if ($filename !~ m![^/]+$PVE::Storage::ISO_EXT_RE_0$!) { raise_param_exc({ filename => "wrong file extension" }); @@ -642,6 +677,16 @@ __PACKAGE__->register_method({ raise_param_exc({ filename => "wrong file extension" }); } $path = PVE::Storage::get_vztmpl_dir($cfg, $storage); + } elsif ($content eq 'import') { + if ($filename !~ m!${PVE::Storage::SAFE_CHAR_CLASS_RE}+$PVE::Storage::UPLOAD_IMPORT_EXT_RE_1$!) { + raise_param_exc({ filename => "invalid filename or wrong extension" }); + } + + if ($filename =~ m/\.ova$/) { + $isOva = 1; + } + + $path = PVE::Storage::get_import_dir($cfg, $param->{storage}); } else { raise_param_exc({ content => "upload content-type '$content' is not allowed" }); } @@ -669,7 +714,21 @@ __PACKAGE__->register_method({ die "no decompression method found\n" if !$info->{decompressor}; $opts->{decompression_command} = $info->{decompressor}; } - PVE::Tools::download_file_from_url("$path/$filename", $url, $opts); + + my $target_path = "$path/$filename"; + PVE::Tools::download_file_from_url($target_path, $url, $opts); + + if ($isOva) { + eval { + assert_ova_contents($target_path); + }; + if (my $err = $@) { + # unlinks only the temporary file from the http server + unlink $target_path or $! == ENOENT + or warn "unable to clean up temporory file '$target_path' - $!\n"; + die $err; + } + } }; my $worker_id = PVE::Tools::encode_text($filename); # must not pass : or the like as w-ID diff --git a/src/PVE/Storage.pm b/src/PVE/Storage.pm index 4df1a84..c6a8894 100755 --- a/src/PVE/Storage.pm +++ b/src/PVE/Storage.pm @@ -116,6 +116,8 @@ our $BACKUP_EXT_RE_2 = qr/\.(tgz|(?:tar|vma)(?:\.(${\PVE::Storage::Plugin::COMPR our $IMPORT_EXT_RE_1 = qr/\.(ova|ovf|qcow2|raw|vmdk)/; +our $UPLOAD_IMPORT_EXT_RE_1 = qr/\.(ova)/; + our $SAFE_CHAR_CLASS_RE = qr/[a-zA-Z0-9\-\.\+\=\_]/; our $OVA_CONTENT_RE_1 = qr/${SAFE_CHAR_CLASS_RE}+\.(qcow2|raw|vmdk)/; @@ -466,6 +468,15 @@ sub get_iso_dir { return $plugin->get_subdir($scfg, 'iso'); } +sub get_import_dir { + my ($cfg, $storeid) = @_; + + my $scfg = storage_config($cfg, $storeid); + my $plugin = PVE::Storage::Plugin->lookup($scfg->{type}); + + return $plugin->get_subdir($scfg, 'import'); +} + sub get_vztmpl_dir { my ($cfg, $storeid) = @_; -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel