Story #6335

Updated by bmbouter 12 months ago

## The Concern

Using the file system exporter, users can export to any path on the file system that the pulp worker has access to. This is not safe between users and not safe for a Pulp administrator.

## The solution

A new setting named `ALLOWED_EXPORT_PATHS` will be introduced. This will be the "brother" to the `ALLOWED_IMPORT_PATHS` setting from [Issue 5974]( except for restricting exports instead of imports.

## The default

By default you can't export anywhere for security reasons. So the default will be `ALLOWED_EXPORT_PATHS = []`

## Examples

If configured with `ALLOWED_EXPORT_PATHS = ["/mnt/exports", "/var/lib/pulp/exports"]` you could export to any realpath that is at or a subpath of either `/mnt/exports/` or `/var/lib/pulp/exports`.

So these would be allowed:


These would *not* be allowed:


## Where to enforce and validate?

1. Validation should occur at Exporter runtime and occur at BaseExporter.

## using realpath

We should use [Python's realpath]( to handle any `..` or attempts to break out of the path. `realpath` should be used before the path check happens.