From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dietmar@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id D4B1C7475A
 for <pve-devel@lists.proxmox.com>; Mon, 19 Apr 2021 11:43:16 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 9A27212F2F
 for <pve-devel@lists.proxmox.com>; Mon, 19 Apr 2021 11:42:46 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [212.186.127.180])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id C999412F22
 for <pve-devel@lists.proxmox.com>; Mon, 19 Apr 2021 11:42:45 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 8D7F845B07
 for <pve-devel@lists.proxmox.com>; Mon, 19 Apr 2021 11:42:45 +0200 (CEST)
Date: Mon, 19 Apr 2021 11:42:24 +0200 (CEST)
From: Dietmar Maurer <dietmar@proxmox.com>
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
 Lorenz Stechauner <l.stechauner@proxmox.com>
Message-ID: <911624573.3965.1618825344596@webmail.proxmox.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer v7.10.5-Rev5
X-Originating-Client: open-xchange-appsuite
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.108 Adjusted score from AWL reputation of From: address
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_DNSWL_MED        -2.3 Sender listed at https://www.dnswl.org/,
 medium trust
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pve-devel] [PATCH v2 pve-access-control] fix #1500: permission
 path syntax check for access control
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2021 09:43:16 -0000

FYI, I do it without any regex in rust:

https://git.proxmox.com/?p=proxmox-backup.git;a=blob;f=src/config/acl.rs;h=61e507ec42bf5a30f64f56564a1fb107d148fb7b;hb=HEAD#l272

I guess this is faster (at least in rust).


> On 04/19/2021 9:16 AM Lorenz Stechauner <l.stechauner@proxmox.com> wrote:
> 
>  
> Syntax for permission paths is now checked on API calls for
> creation or update on permissions.
> 
> Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
> ---
>  Regex is now hardcoded,
>  removed get_permission_paths,
>  check_path does not call normalize_path anymore,
>  indentation fix
> 
>  PVE/API2/ACL.pm      |  4 ++++
>  PVE/AccessControl.pm | 18 ++++++++++++++++++
>  2 files changed, 22 insertions(+)
> 
> diff --git a/PVE/API2/ACL.pm b/PVE/API2/ACL.pm
> index c340267..857c672 100644
> --- a/PVE/API2/ACL.pm
> +++ b/PVE/API2/ACL.pm
> @@ -141,6 +141,10 @@ __PACKAGE__->register_method ({
>  	my $path = PVE::AccessControl::normalize_path($param->{path});
>  	raise_param_exc({ path => "invalid ACL path '$param->{path}'" }) if !$path;
>  
> +	if (!$param->{delete} && !PVE::AccessControl::check_path($path)) {
> +	    raise_param_exc({ path => "invalid ACL path '$param->{path}'" });
> +	}
> +
>  	PVE::AccessControl::lock_user_config(
>  	    sub {
>  
> diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
> index 8b5be1e..4ef1080 100644
> --- a/PVE/AccessControl.pm
> +++ b/PVE/AccessControl.pm
> @@ -929,6 +929,24 @@ sub normalize_path {
>      return $path;
>  }
>  
> +sub check_path {
> +    return shift =~ m!^(
> +	/
> +	|/access
> +	|/access/groups
> +	|/access/realm
> +	|/nodes
> +	|/nodes/[[:alnum:]\.\-\_]+
> +	|/pool
> +	|/pool/[[:alnum:]\.\-\_]+
> +	|/sdn
> +	|/storage
> +	|/storage/[[:alnum:]\.\-\_]+
> +	|/vms
> +	|/vms/\d{3,}
> +    )$!xs;
> +}
> +
>  PVE::JSONSchema::register_format('pve-groupid', \&verify_groupname);
>  sub verify_groupname {
>      my ($groupname, $noerr) = @_;
> -- 
> 2.20.1
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel