Re: [pve-devel] [PATCH v2 pve-access-control] fix #1500: permission path syntax check for access control

Mon, 19 Apr 2021 02:43:25 -0700 

FYI, I do it without any regex in rust:

https://git.proxmox.com/?p=proxmox-backup.git;a=blob;f=src/config/acl.rs;h=61e507ec42bf5a30f64f56564a1fb107d148fb7b;hb=HEAD#l272

I guess this is faster (at least in rust).


> On 04/19/2021 9:16 AM Lorenz Stechauner <l.stechau...@proxmox.com> wrote:
> 
>  
> Syntax for permission paths is now checked on API calls for
> creation or update on permissions.
> 
> Signed-off-by: Lorenz Stechauner <l.stechau...@proxmox.com>
> ---
>  Regex is now hardcoded,
>  removed get_permission_paths,
>  check_path does not call normalize_path anymore,
>  indentation fix
> 
>  PVE/API2/ACL.pm      |  4 ++++
>  PVE/AccessControl.pm | 18 ++++++++++++++++++
>  2 files changed, 22 insertions(+)
> 
> diff --git a/PVE/API2/ACL.pm b/PVE/API2/ACL.pm
> index c340267..857c672 100644
> --- a/PVE/API2/ACL.pm
> +++ b/PVE/API2/ACL.pm
> @@ -141,6 +141,10 @@ __PACKAGE__->register_method ({
>       my $path = PVE::AccessControl::normalize_path($param->{path});
>       raise_param_exc({ path => "invalid ACL path '$param->{path}'" }) if 
> !$path;
>  
> +     if (!$param->{delete} && !PVE::AccessControl::check_path($path)) {
> +         raise_param_exc({ path => "invalid ACL path '$param->{path}'" });
> +     }
> +
>       PVE::AccessControl::lock_user_config(
>           sub {
>  
> diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
> index 8b5be1e..4ef1080 100644
> --- a/PVE/AccessControl.pm
> +++ b/PVE/AccessControl.pm
> @@ -929,6 +929,24 @@ sub normalize_path {
>      return $path;
>  }
>  
> +sub check_path {
> +    return shift =~ m!^(
> +     /
> +     |/access
> +     |/access/groups
> +     |/access/realm
> +     |/nodes
> +     |/nodes/[[:alnum:]\.\-\_]+
> +     |/pool
> +     |/pool/[[:alnum:]\.\-\_]+
> +     |/sdn
> +     |/storage
> +     |/storage/[[:alnum:]\.\-\_]+
> +     |/vms
> +     |/vms/\d{3,}
> +    )$!xs;
> +}
> +
>  PVE::JSONSchema::register_format('pve-groupid', \&verify_groupname);
>  sub verify_groupname {
>      my ($groupname, $noerr) = @_;
> -- 
> 2.20.1
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to