From b194e48649bfe8078466a6ace0a9d5368bc03e38 Mon Sep 17 00:00:00 2001
From: grossmj <grossmj@gns3.net>
Date: Sat, 6 Jul 2024 12:24:22 +0200
Subject: [PATCH] Forbid unsafe Qemu additional options

---
 conf/gns3_server.conf              |  2 ++
 gns3server/compute/qemu/qemu_vm.py | 18 +++++++++++++++++-
 tests/compute/qemu/test_qemu_vm.py |  8 ++++++++
 3 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/conf/gns3_server.conf b/conf/gns3_server.conf
index eb94aaa9..9e3088be 100644
--- a/conf/gns3_server.conf
+++ b/conf/gns3_server.conf
@@ -93,6 +93,8 @@ require_kvm = True
 enable_hardware_acceleration = True
 ; Require hardware acceleration in order to start VMs (all platforms)
 require_hardware_acceleration = False
+; Allow unsafe additional command line options
+allow_unsafe_options = False
 
 [VMware]
 ; First vmnet interface of the range that can be managed by the GNS3 server
diff --git a/gns3server/compute/qemu/qemu_vm.py b/gns3server/compute/qemu/qemu_vm.py
index 08d55955..681c4d86 100644
--- a/gns3server/compute/qemu/qemu_vm.py
+++ b/gns3server/compute/qemu/qemu_vm.py
@@ -53,6 +53,12 @@ from ...utils import macaddress_to_int, int_to_macaddress, is_ipv6_enabled
 import logging
 log = logging.getLogger(__name__)
 
+# forbidden additional options
+FORBIDDEN_OPTIONS = {"-blockdev", "-drive", "-hda", "-hdb", "-hdc", "-hdd",
+                     "-fsdev", "-virtfs"}
+FORBIDDEN_OPTIONS |= {"-" + opt for opt in FORBIDDEN_OPTIONS
+                      if opt.startswith("-") and not opt.startswith("--")}
+
 
 class QemuVM(BaseNode):
     module_name = 'qemu'
@@ -2424,9 +2430,19 @@ class QemuVM(BaseNode):
             command.extend(self._tpm_options())
         if additional_options:
             try:
-                command.extend(shlex.split(additional_options))
+                additional_opt_list = shlex.split(additional_options)
             except ValueError as e:
                 raise QemuError("Invalid additional options: {} error {}".format(additional_options, e))
+            allow_unsafe_options = self.manager.config.get_section_config("Qemu").getboolean(
+                "allow_unsafe_options",
+                False
+            )
+            if allow_unsafe_options is False:
+                for opt in additional_opt_list:
+                    if opt in FORBIDDEN_OPTIONS:
+                        raise QemuError("Forbidden additional option: {}".format(opt))
+            command.extend(additional_opt_list)
+
         # avoiding mouse offset (see https://github.com/GNS3/gns3-server/issues/2335)
         if self._console_type == "vnc":
             command.extend(['-machine', 'usb=on', '-device', 'usb-tablet'])
diff --git a/tests/compute/qemu/test_qemu_vm.py b/tests/compute/qemu/test_qemu_vm.py
index b35a21a5..59d00687 100644
--- a/tests/compute/qemu/test_qemu_vm.py
+++ b/tests/compute/qemu/test_qemu_vm.py
@@ -774,6 +774,14 @@ async def test_build_command_with_invalid_options(vm):
         await vm._build_command()
 
 
+@pytest.mark.skipif(sys.platform.startswith("win"), reason="Not supported on Windows")
+async def test_build_command_with_forbidden_options(vm):
+
+    vm.options = "-blockdev"
+    with pytest.raises(QemuError):
+        await vm._build_command()
+
+
 def test_hda_disk_image(vm, images_dir):
 
     open(os.path.join(images_dir, "test1"), "w+").close()