From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 53D2973A9B for ; Fri, 16 Apr 2021 15:09:43 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 451C6248F4 for ; Fri, 16 Apr 2021 15:09:43 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 02B1F248E4 for ; Fri, 16 Apr 2021 15:09:42 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id BF82845ACD for ; Fri, 16 Apr 2021 15:09:41 +0200 (CEST) Message-ID: Date: Fri, 16 Apr 2021 15:09:40 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Thunderbird/88.0 Content-Language: en-US To: Proxmox VE development discussion , Lorenz Stechauner References: <20210416123438.93188-1-l.stechauner@proxmox.com> From: Thomas Lamprecht In-Reply-To: <20210416123438.93188-1-l.stechauner@proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.040 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -0.001 Looks like a legit reply (A) RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [accesscontrol.pm, acl.pm] Subject: Re: [pve-devel] [PATCH pve-access-control] fix #1500: permission path syntax check for access control X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2021 13:09:43 -0000 On 16.04.21 14:34, Lorenz Stechauner wrote: > Syntax for permission paths is now checked on API calls for > creation or update on permissions. > great first patch, it seems functional FWICT, but I'd still change the way we build the regex, see below. > Signed-off-by: Lorenz Stechauner > --- > PVE/API2/ACL.pm | 4 ++++ > PVE/AccessControl.pm | 31 +++++++++++++++++++++++++++++++ > 2 files changed, 35 insertions(+) > > diff --git a/PVE/API2/ACL.pm b/PVE/API2/ACL.pm > index c340267..857c672 100644 > --- a/PVE/API2/ACL.pm > +++ b/PVE/API2/ACL.pm > @@ -141,6 +141,10 @@ __PACKAGE__->register_method ({ > my $path = PVE::AccessControl::normalize_path($param->{path}); > raise_param_exc({ path => "invalid ACL path '$param->{path}'" }) if !$path; > > + if (!$param->{delete} && !PVE::AccessControl::check_path($path)) { > + raise_param_exc({ path => "invalid ACL path '$param->{path}'" }); > + } > + > PVE::AccessControl::lock_user_config( > sub { > > diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm > index 8b5be1e..5ac2df2 100644 > --- a/PVE/AccessControl.pm > +++ b/PVE/AccessControl.pm > @@ -60,6 +60,24 @@ cfs_register_file('priv/tfa.cfg', > \&parse_priv_tfa_config, > \&write_priv_tfa_config); > > +sub get_permission_paths { > + return ( > + '/', > + '/access', > + '/access/groups', > + '/access/realm', > + '/nodes', > + '/nodes/{node}', > + '/pool', > + '/pool/{poolid}', > + '/sdn', > + '/storage', > + '/storage/{storage}', > + '/vms', > + '/vms/{vmid}', > + ) > +} > + > sub verify_username { > PVE::Auth::Plugin::verify_username(@_); > } > @@ -929,6 +947,19 @@ sub normalize_path { > return $path; > } > > +sub check_path { > + my $path = normalize_path(shift); > + my @regex_str_arr = (); > + foreach (get_permission_paths()) { > + my $regex_str = $_; nit: indentation error above > + $regex_str =~ s/\{vmid\}/\\d{3,}/; > + $regex_str =~ s/\{[a-z]+\}/[[:alnum:]\\.\\-\\_]+/; > + push(@regex_str_arr, $regex_str); > + } > + my $regex_str = '^(' . join('|', @regex_str_arr) . ')$'; why don't we return already a regex array by `get_permission_paths`, which may then be named `get_permission_path_regex` ? Else this seems to be a bit much of manual translations and also an unnecessary extra overhead, I'd like to avoid custom template interpretations at runtime. get_permission_paths (or whatever it will be named then) could look like: sub ... { my $paths = ( qr!/!, qr!/access!, # ... qr!/vms/\d{3,}! ); return join("|", @paths); } or as above then has not really much extra value, especially as it's only used in one place, just directly define the actual regex sub check_path { my ($path) = @_; my $re = qr!^( / |/access # ... |/vms/\d{3,} )$!; return $path =~ $re; } would IMO be even nicer > + return $path =~ m@$regex_str@; > +} > + > PVE::JSONSchema::register_format('pve-groupid', \&verify_groupname); > sub verify_groupname { > my ($groupname, $noerr) = @_; >