As a Pulp administrator, I have a setting to mark which areas of the filesystem are safe for export
Using the file system exporter, users can export to any path on the file system that the pulp worker has access to. This is not safe between users and not safe for a Pulp administrator.
A new setting named
ALLOWED_EXPORT_PATHS will be introduced. This will be the "brother" to the
ALLOWED_IMPORT_PATHS setting from Issue 5974 except for restricting exports instead of imports.
By default you can't export anywhere for security reasons. So the default will be
ALLOWED_EXPORT_PATHS = 
If configured with
ALLOWED_EXPORT_PATHS = ["/mnt/exports", "/var/lib/pulp/exports"] you could export to any realpath that is at or a subpath of either
So these would be allowed:
/mnt/exports/foo/ /mnt/exports/bar/../ /mnt/exports/ /var/lib/pulp/exports/asdf/
These would not be allowed:
Where to enforce and validate?¶
Validation should occur at Exporter runtime and occur at BaseExporter.
We should use Python's realpath to handle any
.. or attempts to break out of the path.
realpath should be used before the path check happens.