Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 5a19396d081c5cb68d3e880529ecd552d1c4f5a0^! / .
commit5a19396d081c5cb68d3e880529ecd552d1c4f5a0[log] [tgz]
authorcm-jishnu <jishnunambiarcm@duck.com>Fri Dec 02 03:45:27 2022 -0600
committerJishnu C M <jishnunambiarcm@duck.com>Fri Dec 16 04:57:51 2022 +0000
tree6f3fd06f7857300f1a077fcb7b32c64ccf4ccc74
parent1e3f85e68076b6270ce3afcae71a88f5b71fbfb8 [diff]
Restrict use of subfolder in configfiles path

GET function on the config files path now lists all the contents
including sub directories. Creation of subdirectories under config files
is not allowed from the UI, however its possible to create manually.

If we try to access a subfolder with GET command, bmcweb handle the
folder name as file name and crashes trying to open.
Hence we limit the use of subfolder under config files by not listing
them in the response of the GET command. And returning an error if the
user is trying to run a GET on subfolder created manually.

Tested:
Create subfolder under configfiles path

curl -k -H "X-Auth-Token: $bmc_token" -X GET -D patch1.txt
https://${bmc}/ibm/v1/Host/ConfigFiles

Without fix:
Lists all contents of the ConfigFiles folder

With Fix:
lists only the regular files

Run the command with subfolder
curl -k -H "X-Auth-Token: $bmc_token" -X GET -D patch1.txt
https://${bmc}/ibm/v1/Host/ConfigFiles/testfolder

Without fix:
bmcweb crashes

With the fix:
“Description”: “Resource Not Found”

Change-Id: I71ef5523c6bc425e880a28a6e1175c677ef0a102
Signed-off-by: Jishnu C M <jishnunambiarcm@duck.com>

diff --git a/include/ibm/management_console_rest.hpp b/include/ibm/management_console_rest.hpp
index 97ac497..34befd7 100644
--- a/include/ibm/management_console_rest.hpp
+++ b/include/ibm/management_console_rest.hpp

@@ -243,8 +243,11 @@
         for (const auto& file : std::filesystem::directory_iterator(loc))
         {
             const std::filesystem::path& pathObj = file.path();
-            pathObjList.push_back("/ibm/v1/Host/ConfigFiles/" +
-                                  pathObj.filename().string());
+            if (std::filesystem::is_regular_file(pathObj))
+            {
+                pathObjList.push_back("/ibm/v1/Host/ConfigFiles/" +
+                                      pathObj.filename().string());
+            }
         }
     }
     asyncResp->res.jsonValue["@odata.type"] =
@@ -302,7 +305,7 @@
     BMCWEB_LOG_DEBUG << "HandleGet on SaveArea files on path: " << fileID;
     std::filesystem::path loc(
         "/var/lib/bmcweb/ibm-management-console/configfiles/" + fileID);
-    if (!std::filesystem::exists(loc))
+    if (!std::filesystem::exists(loc) || !std::filesystem::is_regular_file(loc))
     {
         BMCWEB_LOG_ERROR << loc.string() << " Not found";
         asyncResp->res.result(boost::beast::http::status::not_found);