Am 15.11.24 um 16:17 schrieb Dominik Csapak:
> introducing a separate regex that only contains ova, since
> upload/downloading ovfs does not make sense (since the disks are then
> missing).
>
> Add a sanity check after up/downloading the ova file (and delete if it
> does not match).
>
> Signed-off-by: Dominik Csapak <d.csa...@proxmox.com>
> ---
> changes from v2:
> * add sanity check for ova content after up/downloading
>
> src/PVE/API2/Storage/Status.pm | 69 +++++++++++++++++++++++++++++++---
> src/PVE/Storage.pm | 11 ++++++
> 2 files changed, 75 insertions(+), 5 deletions(-)
>
> diff --git a/src/PVE/API2/Storage/Status.pm b/src/PVE/API2/Storage/Status.pm
> index bdf1c18..8bbb5a7 100644
> --- a/src/PVE/API2/Storage/Status.pm
> +++ b/src/PVE/API2/Storage/Status.pm
> @@ -41,6 +41,24 @@ __PACKAGE__->register_method ({
> path => '{storage}/file-restore',
> });
>
> +my sub assert_ova_contents {
> + my ($file) = @_;
> +
> + # test if it's really a tar file with an ovf file inside
> + my $hasOvf = 0;
> + run_command(['tar', '-t', '-f', $file], outfunc => sub {
> + my ($line) = @_;
> +
> + if ($line =~ m/\.ovf$/) {
> + $hasOvf = 1;
> + }
> + });
Style nit: wrong indentation
> +
> + die "ova archive has no .ovf file inside\n" if !$hasOvf;
> +
> + return undef;
Nit: I'd prefer a truthy-return, but no big deal
> +};
Style nit: no need for semicolon
> +
> __PACKAGE__->register_method ({
> name => 'index',
> path => '',
> @@ -369,7 +387,7 @@ __PACKAGE__->register_method ({
> name => 'upload',
> path => '{storage}/upload',
> method => 'POST',
> - description => "Upload templates and ISO images.",
> + description => "Upload templates, ISO images and OVAs.",
> permissions => {
> check => ['perm', '/storage/{storage}', ['Datastore.AllocateTemplate']],
> },
> @@ -382,7 +400,7 @@ __PACKAGE__->register_method ({
> content => {
> description => "Content type.",
> type => 'string', format => 'pve-storage-content',
> - enum => ['iso', 'vztmpl'],
> + enum => ['iso', 'vztmpl', 'import'],
> },
> filename => {
> description => "The name of the file to create. Caution: This
> will be normalized!",
> @@ -437,6 +455,7 @@ __PACKAGE__->register_method ({
> my $filename =
> PVE::Storage::normalize_content_filename($param->{filename});
>
> my $path;
> + my $isOva = 0;
>
> if ($content eq 'iso') {
> if ($filename !~ m![^/]+$PVE::Storage::ISO_EXT_RE_0$!) {
> @@ -448,6 +467,16 @@ __PACKAGE__->register_method ({
> raise_param_exc({ filename => "wrong file extension" });
> }
> $path = PVE::Storage::get_vztmpl_dir($cfg, $param->{storage});
> + } elsif ($content eq 'import') {
> + if ($filename !~
> m!${PVE::Storage::SAFE_CHAR_CLASS_RE}+$PVE::Storage::UPLOAD_IMPORT_EXT_RE_1$!)
> {
> + raise_param_exc({ filename => "invalid filename or wrong
> extension" });
> + }
> +
> + if ($filename =~ m/\.ova$/) {
Nit: we already get the extension from the above match, and could use
that. Also, it's always an ova, so no need for special casing.
> + $isOva = 1;
> + }
> +
> + $path = PVE::Storage::get_import_dir($cfg, $param->{storage});
> } else {
> raise_param_exc({ content => "upload content type '$content' not
> allowed" });
> }
---snip---
> @@ -669,7 +714,21 @@ __PACKAGE__->register_method({
> die "no decompression method found\n" if !$info->{decompressor};
> $opts->{decompression_command} = $info->{decompressor};
> }
> - PVE::Tools::download_file_from_url("$path/$filename", $url, $opts);
> +
> + my $target_path = "$path/$filename";
> + PVE::Tools::download_file_from_url($target_path, $url, $opts);
As already discussed off-list, would be nice to do the check before the
file is put in its final location ;)
> +
> + if ($isOva) {
> + eval {
> + assert_ova_contents($target_path);
> + };
> + if (my $err = $@) {
> + # unlinks only the temporary file from the http server
> + unlink $target_path or $! == ENOENT
> + or warn "unable to clean up temporory file
> '$target_path' - $!\n";
> + die $err;
> + }
> + }
> };
>
> my $worker_id = PVE::Tools::encode_text($filename); # must not pass :
> or the like as w-ID
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
