CP-51836: Restrict/check binary_url of remote_pool repository

Add an assertion to restrict `binary_url` of remote_pool repository to be in the format of `https://<coordinator-ip>/repository/enabled`. Signed-off-by: Bengang Yuan <[email protected]>
xapi-project · Oct 31, 2024 · 8578d7b · 8578d7b
1 parent d10a8c0
commit 8578d7b
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 0 deletions.
diff --git a/ocaml/xapi-consts/constants.ml b/ocaml/xapi-consts/constants.ml
@@ -155,6 +155,9 @@ let get_pool_update_download_uri = "/update/"
 
 let get_repository_uri = "/repository" (* ocaml/xapi/repository.ml *)
 
+let get_enabled_repository_uri =
+  "/repository/enabled" (* ocaml/xapi/repository.ml *)
+
 let get_host_updates_uri = "/host_updates" (* ocaml/xapi/repository.ml *)
 
 let get_updates_uri = "/updates" (* ocaml/xapi/repository.ml *)

diff --git a/ocaml/xapi/repository.ml b/ocaml/xapi/repository.ml
@@ -69,6 +69,7 @@ let introduce_bundle ~__context ~name_label ~name_description =
 
 let introduce_remote_pool ~__context ~name_label ~name_description ~binary_url
     ~certificate =
+  assert_remote_pool_url_is_valid ~url:binary_url ;
   Db.Repository.get_all ~__context
   |> List.iter (fun ref ->
          if

diff --git a/ocaml/xapi/repository_helpers.ml b/ocaml/xapi/repository_helpers.ml
@@ -231,6 +231,17 @@ let assert_gpgkey_path_is_valid path =
     raise Api_errors.(Server_error (invalid_gpgkey_path, [path]))
   )
 
+let assert_remote_pool_url_is_valid ~url =
+  let uri = Uri.of_string url in
+  match (Uri.scheme uri, Uri.host uri, Uri.path uri) with
+  | Some "https", Some host, path
+    when path = Constants.get_enabled_repository_uri
+         && Helpers.is_valid_ip `ipv4or6 host ->
+      ()
+  | _ ->
+      error "Invalid url %s" url ;
+      raise Api_errors.(Server_error (invalid_base_url, [url]))
+
 let with_pool_repositories f =
   Xapi_stdext_pervasives.Pervasiveext.finally
     (fun () ->