Commit 14a31771 authored by Hrvoje Ribicic's avatar Hrvoje Ribicic
Browse files

Forbid the compression tools from being set over RAPI

Although we impose restrictions on what can be input as a compression
tool, someone with RAPI credentials could choose and execute a number
of commands by first setting the custom tools and then executing them.

To prevent this from happening, use the _FORBIDDEN rlib modifier to
forbid tools from being set over RAPI, and verify this in a test.
The QA is also modified to account for the forbidden parameter in
symmetry tests.
Signed-off-by: default avatarHrvoje Ribicic <>
Reviewed-by: default avatarThomas Thrainer <>
parent 83a5fb86
......@@ -288,6 +288,9 @@ class R_2_cluster_modify(baserlib.OpcodeResource):
PUT_OPCODE = opcodes.OpClusterSetParams
class R_2_jobs(baserlib.ResourceBase):
......@@ -353,10 +353,12 @@ def TestEmptyCluster():
# The nicparams are returned under the default entry, yet accepted as they
# are - this is a TODO to fix!
DEFAULT_ISSUES = ["nicparams"]
# Cannot be set over RAPI due to security issues
FORBIDDEN_PARAMS = ["compression_tools"]
_DoGetPutTests("/2/info", "/2/modify", opcodes.OpClusterSetParams.OP_PARAMS,
def TestRapiQuery():
......@@ -206,6 +206,16 @@ class TestClusterModify(RAPITestCase):
self.assertRaises(http.HttpBadRequest, handler.PUT)
def testForbiddenParams(self):
for attr, value in [
("compression_tools", ["lzop"]),
handler = _CreateHandler(rlib2.R_2_cluster_modify, [], {}, {
attr: value,
}, self._clfactory)
self.assertRaises(http.HttpForbidden, handler.PUT)
class TestRedistConfig(RAPITestCase):
def test(self):
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment