3rd-party storage has "Unknown" type

Joshua Huber jhuber at blockbridge.com
Mon Apr 4 19:29:51 CEST 2022


Hi Tomas,

Thanks for the quick reply! No worries at all for jumping the gun and
submitting a patch for the first option. I think that's a totally
reasonable option, and I'm happy to get it in more quickly.

On Fri, Apr 1, 2022 at 11:51 AM Thomas Lamprecht
<t.lamprecht at proxmox.com> wrote:
>
> That's actually a good point, returning unknown here isn't really helping
> anyone, especially as  it's a place where we known that there can be values
> not under Proxmox VE's control, so the value is definitively the better
> fallback.
>
> I pushed out a commit with your proposed 1) behavior as its a good stop-gap
> measurement in any way and doesn't harm any fancier way we may possibly add
> in the future.
>
> https://git.proxmox.com/?p=pve-manager.git;a=commitdiff;h=ea9b688a8234bbdb8cd9e0f6498bed29777a1e2c

Based on your feedback regarding JS injection, would that be a concern
here, too? I suppose, because of the restrictive set of permitted
characters, the chances of something problematic getting through are
low. On the other hand, it is technically data returned over the API,
and could (via an additional bug or exploit) result in an XSS payload
being shuttled back via the type field.

Surprisingly, I was able to construct a somewhat complex storage type
string and have it passed back to the browser intact. This seems like
a totally reasonable storage type string, doesn't it!? :D

Name             Type     Status           Total            Used
Available        %
ceph              rbd     active        18891843               3
 18891840    0.00%
cephfs         cephfs   inactive               0               0
        0    0.00%
josh       <svg/onmouseover=alert(1)>     active       786432000
199489296       586942704   25.37%

With the just-pass-the-value-back change in place, the onmouseover
actually fires while viewing the StorageView.

> would need to be encoded to avoid HTML-element or JS injection, e.g., via
> the `Ext.htmlEncode()`, besides that it would seem OK from a technical POV.

Thank you! I'm not familiar with ExtJS, specifically, so assumed there
was some other escaping mechanism in place by default.

> not all to hard feelings but for most new properties we use kebab case, i.e.,
> here it'd be 'type-name' (needs the quotes then too, else perl gets confused
> as you probably already know), but due to backward compat we got quite the mix
> present, at least in Proxmox VE (the newer, rust based PBS is quite a bit more
> consistent).

Good to know, and no problem.

> Possibly alternative: 'type-text' (as one could draw parallels to our
> JSONSchema's internal 'format-text, which is used roughly similarly for
> property format definitions).

I like the sound of that, and the symmetry with format-text.

> > +     description => "User-friendly display name for storage",
> > +     type => 'string',
> > +     optional => 1,
>
> adding a generous maxLength (say something between 64 to 128) and a pattern
> to avoid other whitespace-types than, well, a plain space would IMO be good
> to add.
>
> Without encoding 2) would already be quite close to that, but I'd really
> like to avoid adding generic XSS injection as a feature ;-)

Haha, yes. 100% agree. :D

> Anyhow, if you want to for 2) then please feel free to do so.

Great -- I'm going to submit a couple patches for option 2 in a bit.

Really appreciate the review and the quick feedback!

Josh




More information about the pve-devel mailing list