Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds ALLOWED_IMPORT_PATHS for file:// urls #520

Merged
merged 1 commit into from Jan 29, 2020
Merged

Adds ALLOWED_IMPORT_PATHS for file:// urls #520

merged 1 commit into from Jan 29, 2020

Conversation

bmbouter
Copy link
Member

Remote.url now validate to only allow file:// paths that are a subpath
of a configured ALLOWED_IMPORT_PATHS setting. This setting comes with
docs. URLs starting with other protocol handlers, e.g. http:// or
https:// are unaffected.

https://pulp.plan.io/issues/5974
closes #5974

@bmbouter
Copy link
Member Author

@gmbnomis What do you think of this PR?

Note also I wanted to have the validation occur at sync time, but what I realized is that sync code is fully in the control of the plugin so every plugin would need to add it. Is preventing any file:// from saving enough? What do you recommend?

daviddavis
daviddavis reviewed Jan 29, 2020
View reviewed changes
docs/settings.rst Outdated Show resolved Hide resolved
@daviddavis
Copy link
Contributor

I feel like we should probably call out in the docs that ALLOWED_IMPORT_PATH is only checked at Remote creation/update and not before sync. Users might mistakenly think they can edit it on the fly.

@bmbouter
Copy link
Member Author

I added a note to the docs about it only be checked at creation or update time.

@bmbouter
Copy link
Member Author

bmbouter commented Jan 29, 2020
edited

Actually I realized we could put an additional check in the FileDownloader here and then I could remove this note and make it better. Wdyt?

bmbouter
bmbouter commented Jan 29, 2020
View reviewed changes
pulpcore/download/file.py
"""
from pulpcore.app.serializers import RemoteSerializer
Copy link
Member Author

@bmbouter bmbouter Jan 29, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not great, but I tried to work around the circular import several ways and it was still there.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe leave a comment?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Anytime I see these I think circular import. I will if you want tho just lmk.

@bmbouter
Adds ALLOWED_IMPORT_PATHS for file:// urls
b7db663 
Remote.url now validate to only allow file:// paths that are a subpath
of a configured ALLOWED_IMPORT_PATHS setting. This setting comes with
docs. URLs starting with other protocol handlers, e.g. http:// or
https:// are unaffected.

https://pulp.plan.io/issues/5974
closes #5974
@bmbouter bmbouter merged commit c89b0ab into pulp:master Jan 29, 2020
@bmbouter bmbouter deleted the allowed-import-paths branch January 29, 2020 23:11
@daviddavis daviddavis mentioned this pull request Mar 24, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@daviddavis daviddavis daviddavis approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@bmbouter @daviddavis