Story #6335
Updated by bmbouter over 4 years ago
## The Concern Using the file system exporter, users can export to any path on the file system that the pulp worker has access to. This is not safe between users and not safe for We should probably lock this down by creating a Pulp administrator. ## The solution A new setting named `ALLOWED_EXPORT_PATHS` will be introduced. This will be the "brother" to the `ALLOWED_IMPORT_PATHS` setting from [Issue 5974](https://pulp.plan.io/issues/5974) except like we did for restricting exports instead of imports. ## The default By default you can't export anywhere for security reasons. So the default will be `ALLOWED_EXPORT_PATHS = []` ## Examples If configured with `ALLOWED_EXPORT_PATHS = ["/mnt/exports", "/var/lib/pulp/exports"]` you could export to any realpath that is at or a subpath of either `/mnt/exports/` or `/var/lib/pulp/exports`. So these would be allowed: ``` /mnt/exports/foo/ /mnt/exports/bar/../ /mnt/exports/ /var/lib/pulp/exports/asdf/ ``` These would *not* be allowed: ``` /some/other/dir/ /mnt/exports/../ ``` ## Where to enforce and validate? 1. Validation should occur at Exporter runtime and occur at BaseExporter. ## using realpath We should use [Python's realpath](https://docs.python.org/3.5/library/os.path.html#os.path.realpath) to handle any `..` or attempts to break out of the path. `realpath` should be used before the path check happens. #5974.