-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validate absolute pathnames in remotes' URLs #1480
Conversation
e28f68c
to
24669d9
Compare
WARNING!!! This PR is not attached to an issue. In most cases this is not advisable. Please see our PR docs for more information about how to attach this PR to an issue. |
if any( | ||
user_provided_realpath.startswith(allowed_path) | ||
for allowed_path in settings.ALLOWED_IMPORT_PATHS | ||
): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be honest the for
loop felt a little cleaner.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can even read it as a valid sentence: "If any user-provided real path starts with (an) allowed path for allowed path in Allowed Import Paths, return URL"! 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No strong feelings, it's just awkward because of the indentation
So I understand why the first remote failed to be created (because If I understand correctly, the problem is that I think maybe clearest way we could improve the error message would be to strip the |
Edit: There is an actual bug with the path matching that you've uncovered here :) So we should create an issue for this and backport it. |
Discussion on Matrix: We should probably automatically reject all relative paths with a specific error message, and we can provide the extracted path to make it clear to the user. The matching should have rejected |
24669d9
to
89ded77
Compare
96cb2e5
to
1429277
Compare
if not os.path.isabs(user_path): | ||
raise serializers.ValidationError( | ||
_("The path '{}' needs to be an absolute pathname.").format(user_path) | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
return url | ||
|
||
raise serializers.ValidationError( | ||
_("The path '{}' is not in allowed import paths").format(user_path) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you think about "The path '{}` is not a subdirectory of one of the allowed import paths"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, it is not a subdirectory. It is a full path to the resource.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The check is only that the path startswith
one of the allowed paths. For example if /tmp
is allowed then any subdirectory of /tmp
can be used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How can /tmp/test/centos-7/PULP_MANIFEST
be a subdirectory of /tmp/
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair point that an error message the describes "..../PULP_MANIFEST" as a subdirectory would be a little strange. The updated wording is probably OK.
"name": utils.uuid4(), | ||
"url": "file://error/path/name", | ||
} | ||
self.raise_for_invalid_request(remote_attrs) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
remote_attrs = { | ||
"name": utils.uuid4(), | ||
"url": "file:///tmp/good", | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perfect, thanks!
1429277
to
ba6e75c
Compare
@lubosmj Please squash the functional tests into the same commit, it makes cherry-picking easier. |
3085fba
to
4fefc29
Compare
I squashed the commits, thanks for pointing it out. |
Before this change, it was not possible to determine why did the synchronization fail when a user provided a seemingly valid URL. This commit also adds more relevant information to the error message. Having set `ALLOWED_EXPORT_PATHS` to `["/tmp", "/home/vagrant/test"]`, the following error messages are shown: ``` $ pulp file remote create --name test --url file://error/vagrant/test/centos-7/PULP_MANIFEST Error: {"url":["The path 'error/vagrant/test/centos-7/PULP_MANIFEST' needs to be an absolute pathname."]} $ pulp file remote create --name test --url file:///error/vagrant/test/centos-7/PULP_MANIFEST Error: {"url":["The path '/error/vagrant/test/centos-7/PULP_MANIFEST' does not start with any of the allowed import paths"]} ``` closes #9080
4fefc29
to
9980d25
Compare
Before this change, it was not possible to determine why did the synchronization fail when a user provided a seemingly valid URL. This commit also adds more relevant information to the error message.
Having set
ALLOWED_EXPORT_PATHS
to["/tmp", "/home/vagrant/test"]
, the following error messages are shown:closes #9080