Story #6335
Updated by bmbouter over 4 years ago
## The Concern
Using the file system exporter, users can export to any path on the file system that the pulp worker has access to. This is not safe between users and not safe for a Pulp administrator.
## The solution
A new setting named `ALLOWED_EXPORT_PATHS` will be introduced. This will be the "brother" to the `ALLOWED_IMPORT_PATHS` setting from [Issue 5974](https://pulp.plan.io/issues/5974) except for restricting exports instead of imports.
## The default
By default you can't export anywhere for security reasons. So the default will be `ALLOWED_EXPORT_PATHS = []`
## Examples
If configured with `ALLOWED_EXPORT_PATHS = ["/mnt/exports", "/var/lib/pulp/exports"]` you could export to any realpath that is at or a subpath of either `/mnt/exports/` or `/var/lib/pulp/exports`.
So these would be allowed:
```
/mnt/exports/foo/
/mnt/exports/bar/../
/mnt/exports/
/var/lib/pulp/exports/asdf/
```
These would *not* be allowed:
```
/some/other/dir/
/mnt/exports/../
```
## Where to enforce and validate?
1. Validation should occur at Exporter runtime and occur at BaseExporter.
## using realpath
We should use [Python's realpath](https://docs.python.org/3.5/library/os.path.html#os.path.realpath) to handle any `..` or attempts to break out of the path. `realpath` should be used before the path check happens.
.