From 20c60513b2a6b2d7c7aae0dcc0391889b9cb7ecf Mon Sep 17 00:00:00 2001
From: Lorenz Stechauner <l.stechauner@proxmox.com>
Date: Mon, 19 Apr 2021 09:16:28 +0200
Subject: [PATCH] fix #1500: permission path syntax check for access control

Syntax for permission paths is now checked on API calls for
creation or update on permissions.

Signed-off-by: Lorenz Stechauner <l.stechauner@proxmox.com>
---
 PVE/API2/ACL.pm      |  4 ++++
 PVE/AccessControl.pm | 18 ++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/PVE/API2/ACL.pm b/PVE/API2/ACL.pm
index c340267..857c672 100644
--- a/PVE/API2/ACL.pm
+++ b/PVE/API2/ACL.pm
@@ -141,6 +141,10 @@ __PACKAGE__->register_method ({
 	my $path = PVE::AccessControl::normalize_path($param->{path});
 	raise_param_exc({ path => "invalid ACL path '$param->{path}'" }) if !$path;
 
+	if (!$param->{delete} && !PVE::AccessControl::check_path($path)) {
+	    raise_param_exc({ path => "invalid ACL path '$param->{path}'" });
+	}
+
 	PVE::AccessControl::lock_user_config(
 	    sub {
 
diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 8b5be1e..4ef1080 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -929,6 +929,24 @@ sub normalize_path {
     return $path;
 }
 
+sub check_path {
+    return shift =~ m!^(
+	/
+	|/access
+	|/access/groups
+	|/access/realm
+	|/nodes
+	|/nodes/[[:alnum:]\.\-\_]+
+	|/pool
+	|/pool/[[:alnum:]\.\-\_]+
+	|/sdn
+	|/storage
+	|/storage/[[:alnum:]\.\-\_]+
+	|/vms
+	|/vms/\d{3,}
+    )$!xs;
+}
+
 PVE::JSONSchema::register_format('pve-groupid', \&verify_groupname);
 sub verify_groupname {
     my ($groupname, $noerr) = @_;
-- 
2.39.2