Story #6335

Updated by bmbouter over 4 years ago

## The Concern 

 Using the file system exporter, users can export to any path on the file system that the pulp worker has access to. This is not safe between users and not safe for a Pulp administrator. 

 ## The solution 

 A new setting named `ALLOWED_EXPORT_PATHS` will be introduced. This will be the "brother" to the `ALLOWED_IMPORT_PATHS` setting from [Issue 5974]( except for restricting exports instead of imports. 

 ## The default 

 By default you can't export anywhere for security reasons. So the default will be `ALLOWED_EXPORT_PATHS = []` 

 ## Examples 

 If configured with `ALLOWED_EXPORT_PATHS = ["/mnt/exports", "/var/lib/pulp/exports"]` you could export to any realpath that is at or a subpath of either `/mnt/exports/` or `/var/lib/pulp/exports`. 

 So these would be allowed: 


 These would *not* be allowed: 


 ## Where to enforce and validate? 

 1. Validation should occur at Exporter runtime and occur at BaseExporter. 

 ## using realpath 

 We should use [Python's realpath]( to handle any `..` or attempts to break out of the path. `realpath` should be used before the path check happens.