From 54448ab9364bc6d6dd8edd0ea67d00f594ea5550 Mon Sep 17 00:00:00 2001
From: Julien Duponchelle <julien@duponchelle.info>
Date: Tue, 28 Jul 2015 16:05:48 +0200
Subject: [PATCH] Prevent user to create a qemu to a different directory on non
 local server

---
 gns3server/handlers/api/qemu_handler.py |  9 +++++
 tests/handlers/api/test_qemu.py         | 45 ++++++++++++++++++++++++-
 2 files changed, 53 insertions(+), 1 deletion(-)

diff --git a/gns3server/handlers/api/qemu_handler.py b/gns3server/handlers/api/qemu_handler.py
index b6980bbc..72ad79d3 100644
--- a/gns3server/handlers/api/qemu_handler.py
+++ b/gns3server/handlers/api/qemu_handler.py
@@ -16,6 +16,8 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import sys
+import os.path
+
 from aiohttp.web import HTTPConflict
 from ...web.route import Route
 from ...modules.project_manager import ProjectManager
@@ -26,6 +28,7 @@ from ...schemas.qemu import QEMU_OBJECT_SCHEMA
 from ...schemas.qemu import QEMU_BINARY_LIST_SCHEMA
 from ...schemas.qemu import QEMU_LIST_IMAGES_SCHEMA
 from ...modules.qemu import Qemu
+from ...config import Config
 
 
 class QEMUHandler:
@@ -328,6 +331,12 @@ class QEMUHandler:
 
         qemu_img = request.json.pop("qemu_img")
         path = request.json.pop("path")
+        if os.path.isabs(path):
+            config = Config.instance()
+            if config.get_section_config("Server").getboolean("local", False) is False:
+                response.set_status(403)
+                return
+
         yield from Qemu.instance().create_disk(qemu_img, path, request.json)
         response.set_status(201)
 
diff --git a/tests/handlers/api/test_qemu.py b/tests/handlers/api/test_qemu.py
index bd5f782c..8df589ce 100644
--- a/tests/handlers/api/test_qemu.py
+++ b/tests/handlers/api/test_qemu.py
@@ -20,6 +20,7 @@ import os
 import stat
 from tests.utils import asyncio_patch
 from unittest.mock import patch
+from gns3server.config import Config
 
 
 @pytest.fixture
@@ -241,7 +242,7 @@ def test_upload_vm_permission_denied(server, tmpdir):
         assert response.status == 409
 
 
-def test_create_img(server):
+def test_create_img_relative(server):
     body = {
         "qemu_img": "/tmp/qemu-img",
         "path": "hda.qcow2",
@@ -256,3 +257,45 @@ def test_create_img(server):
         response = server.post("/qemu/img", body=body, example=True)
 
     assert response.status == 201
+
+
+def test_create_img_absolute_non_local(server):
+
+    config = Config.instance()
+    config.set("Server", "local", "false")
+
+    body = {
+        "qemu_img": "/tmp/qemu-img",
+        "path": "/tmp/hda.qcow2",
+        "format": "qcow2",
+        "preallocation": "metadata",
+        "cluster_size": 64,
+        "refcount_bits": 12,
+        "lazy_refcounts": "off",
+        "size": 100
+    }
+    with asyncio_patch("gns3server.modules.Qemu.create_disk"):
+        response = server.post("/qemu/img", body=body, example=True)
+
+    assert response.status == 403
+
+
+def test_create_img_absolute_local(server):
+
+    config = Config.instance()
+    config.set("Server", "local", "true")
+
+    body = {
+        "qemu_img": "/tmp/qemu-img",
+        "path": "/tmp/hda.qcow2",
+        "format": "qcow2",
+        "preallocation": "metadata",
+        "cluster_size": 64,
+        "refcount_bits": 12,
+        "lazy_refcounts": "off",
+        "size": 100
+    }
+    with asyncio_patch("gns3server.modules.Qemu.create_disk"):
+        response = server.post("/qemu/img", body=body, example=True)
+
+    assert response.status == 201