arno/gns3-server
1
0
Fork 0
mirror of https://github.com/GNS3/gns3-server synced 2024-11-15 12:59:06 +00:00
Code Issues Releases Wiki Activity

Prevent user to create a qemu to a different directory on non local

Browse Source 
server
This commit is contained in:
Julien Duponchelle 2015-07-28 16:05:48 +02:00
parent 1ebc287b5f
commit 54448ab936
2 changed files with 53 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
gns3server/handlers/api/qemu_handler.py
View File

@ -16,6 +16,8 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
import sys import sys
import os.path
from aiohttp.web import HTTPConflict from aiohttp.web import HTTPConflict
from ...web.route import Route from ...web.route import Route
from ...modules.project_manager import ProjectManager from ...modules.project_manager import ProjectManager
@ -26,6 +28,7 @@ from ...schemas.qemu import QEMU_OBJECT_SCHEMA
from ...schemas.qemu import QEMU_BINARY_LIST_SCHEMA from ...schemas.qemu import QEMU_BINARY_LIST_SCHEMA
from ...schemas.qemu import QEMU_LIST_IMAGES_SCHEMA from ...schemas.qemu import QEMU_LIST_IMAGES_SCHEMA
from ...modules.qemu import Qemu from ...modules.qemu import Qemu
from ...config import Config
class QEMUHandler: class QEMUHandler:
@ -328,6 +331,12 @@ class QEMUHandler:
qemu_img = request.json.pop("qemu_img") qemu_img = request.json.pop("qemu_img")
path = request.json.pop("path") path = request.json.pop("path")
if os.path.isabs(path):
config = Config.instance()
if config.get_section_config("Server").getboolean("local", False) is False:
response.set_status(403)
return
yield from Qemu.instance().create_disk(qemu_img, path, request.json) yield from Qemu.instance().create_disk(qemu_img, path, request.json)
response.set_status(201) response.set_status(201)

45
tests/handlers/api/test_qemu.py
View File

@ -20,6 +20,7 @@ import os
import stat import stat
from tests.utils import asyncio_patch from tests.utils import asyncio_patch
from unittest.mock import patch from unittest.mock import patch
from gns3server.config import Config
@pytest.fixture @pytest.fixture
@ -241,7 +242,7 @@ def test_upload_vm_permission_denied(server, tmpdir):
assert response.status == 409 assert response.status == 409
def test_create_img(server): def test_create_img_relative(server):
body = { body = {
"qemu_img": "/tmp/qemu-img", "qemu_img": "/tmp/qemu-img",
"path": "hda.qcow2", "path": "hda.qcow2",
@ -256,3 +257,45 @@ def test_create_img(server):
response = server.post("/qemu/img", body=body, example=True) response = server.post("/qemu/img", body=body, example=True)
assert response.status == 201 assert response.status == 201
def test_create_img_absolute_non_local(server):
config = Config.instance()
config.set("Server", "local", "false")
body = {
"qemu_img": "/tmp/qemu-img",
"path": "/tmp/hda.qcow2",
"format": "qcow2",
"preallocation": "metadata",
"cluster_size": 64,
"refcount_bits": 12,
"lazy_refcounts": "off",
"size": 100
}
with asyncio_patch("gns3server.modules.Qemu.create_disk"):
response = server.post("/qemu/img", body=body, example=True)
assert response.status == 403
def test_create_img_absolute_local(server):
config = Config.instance()
config.set("Server", "local", "true")
body = {
"qemu_img": "/tmp/qemu-img",
"path": "/tmp/hda.qcow2",
"format": "qcow2",
"preallocation": "metadata",
"cluster_size": 64,
"refcount_bits": 12,
"lazy_refcounts": "off",
"size": 100
}
with asyncio_patch("gns3server.modules.Qemu.create_disk"):
response = server.post("/qemu/img", body=body, example=True)
assert response.status == 201