Prevent user to create a qemu to a different directory on non local

server

gns3server/handlers/api/qemu_handler.py

@@ -16,6 +16,8 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import sys
+import os.path
+
 from aiohttp.web import HTTPConflict
 from ...web.route import Route
 from ...modules.project_manager import ProjectManager
@@ -26,6 +28,7 @@ from ...schemas.qemu import QEMU_OBJECT_SCHEMA
 from ...schemas.qemu import QEMU_BINARY_LIST_SCHEMA
 from ...schemas.qemu import QEMU_LIST_IMAGES_SCHEMA
 from ...modules.qemu import Qemu
+from ...config import Config
 
 
 class QEMUHandler:
@@ -328,6 +331,12 @@ class QEMUHandler:
 
         qemu_img = request.json.pop("qemu_img")
         path = request.json.pop("path")
+        if os.path.isabs(path):
+            config = Config.instance()
+            if config.get_section_config("Server").getboolean("local", False) is False:
+                response.set_status(403)
+                return
+
         yield from Qemu.instance().create_disk(qemu_img, path, request.json)
         response.set_status(201)
 

tests/handlers/api/test_qemu.py

@@ -20,6 +20,7 @@ import os
 import stat
 from tests.utils import asyncio_patch
 from unittest.mock import patch
+from gns3server.config import Config
 
 
 @pytest.fixture
@@ -241,7 +242,7 @@ def test_upload_vm_permission_denied(server, tmpdir):
         assert response.status == 409
 
 
-def test_create_img(server):
+def test_create_img_relative(server):
     body = {
         "qemu_img": "/tmp/qemu-img",
         "path": "hda.qcow2",
@@ -256,3 +257,45 @@ def test_create_img(server):
         response = server.post("/qemu/img", body=body, example=True)
 
     assert response.status == 201
+
+
+def test_create_img_absolute_non_local(server):
+
+    config = Config.instance()
+    config.set("Server", "local", "false")
+
+    body = {
+        "qemu_img": "/tmp/qemu-img",
+        "path": "/tmp/hda.qcow2",
+        "format": "qcow2",
+        "preallocation": "metadata",
+        "cluster_size": 64,
+        "refcount_bits": 12,
+        "lazy_refcounts": "off",
+        "size": 100
+    }
+    with asyncio_patch("gns3server.modules.Qemu.create_disk"):
+        response = server.post("/qemu/img", body=body, example=True)
+
+    assert response.status == 403
+
+
+def test_create_img_absolute_local(server):
+
+    config = Config.instance()
+    config.set("Server", "local", "true")
+
+    body = {
+        "qemu_img": "/tmp/qemu-img",
+        "path": "/tmp/hda.qcow2",
+        "format": "qcow2",
+        "preallocation": "metadata",
+        "cluster_size": 64,
+        "refcount_bits": 12,
+        "lazy_refcounts": "off",
+        "size": 100
+    }
+    with asyncio_patch("gns3server.modules.Qemu.create_disk"):
+        response = server.post("/qemu/img", body=body, example=True)
+
+    assert response.status == 201