[pdm-devel] superseded: [PATCH proxmox] rrd: restrict archive path via regex
Lukas Wagner
l.wagner at proxmox.com
Thu Nov 20 12:01:52 CET 2025
On Wed Nov 19, 2025 at 12:11 PM CET, Lukas Wagner wrote:
> The `rel_path` parameter is used as a relative path inside the `rrdb`
> base directory to build the final path for the archive file. Usually,
> this is something like 'node/localhost/cpu_avg1'. For PBS, this is fine,
> since these paths are hardcoded or derived from safe datastore names. In
> PDM however, these paths are built from potentially 'untrusted' (as in,
> one could 'pretend' to be a PBS/PVE remote and send malicious data)
> metric data points - so we should have additional safe guards in place
> to disallow potentially dangerous paths like '../abc' which would escape
> the base directory.
>
https://lore.proxmox.com/all/20251120110033.160931-1-l.wagner@proxmox.com/T/#u
More information about the pdm-devel
mailing list