tronnet/ProxmoxAAS-API
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add checking for disk bus prefix in disk create and disk attach

Browse Source
This commit is contained in:
Arthur Lu 2023-06-09 00:24:37 +00:00
parent e356684cd9
commit c110330154
1 changed files with 17 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
main.js
View File

@ -214,11 +214,17 @@ app.post("/api/instance/disk/attach", async (req, res) => {
res.end(); res.end();
return; return;
} }
// TODO: check create and mount disk against allowed bus types // target disk must be allowed according to source disk's storage options
let sourceDisk = config.data.data[`unused${req.body.source}`]; let diskConfig = await getDiskInfo(req.body.node, req.body.type, req.body.vmid, `unused${req.body.source}`); // get target disk
let resourceConfig = db.getResourceConfig();
if (!resourceConfig[diskConfig.storage].disks.some(diskPrefix => req.body.disk.startsWith(diskPrefix))) {
res.status(500).send({ error: `Requested target ${req.body.disk} is not in allowed list [${resourceConfig[diskConfig.storage].disks}].` });
res.end();
return;
}
// setup action using source disk info from vm config // setup action using source disk info from vm config
let action = {}; let action = {};
action[req.body.disk] = sourceDisk; action[req.body.disk] = config[`unused${req.body.source}`];
action = JSON.stringify(action); action = JSON.stringify(action);
let method = req.body.type === "qemu" ? "POST" : "PUT"; let method = req.body.type === "qemu" ? "POST" : "PUT";
// commit action // commit action
@ -376,7 +382,7 @@ app.delete("/api/instance/disk/delete", async (req, res) => {
* - vmid: Number - vm id number * - vmid: Number - vm id number
* - disk: String - disk id (sata0, ide0) * - disk: String - disk id (sata0, ide0)
* - storage: String - storage to hold disk * - storage: String - storage to hold disk
* - size: Number size of disk in GiB * - size: Number - size of disk in GiB
* responses: * responses:
* - 200: PVE Task Object * - 200: PVE Task Object
* - 401: {auth: false, path: String} * - 401: {auth: false, path: String}
@ -397,7 +403,6 @@ app.post("/api/instance/disk/create", async (req, res) => {
return; return;
} }
// setup request // setup request
// TODO: check create and mount disk against allowed bus types
let request = {}; let request = {};
if (!req.body.disk.includes("ide")) { if (!req.body.disk.includes("ide")) {
request[req.body.storage] = Number(req.body.size * 1024 ** 3); // setup request object request[req.body.storage] = Number(req.body.size * 1024 ** 3); // setup request object
@ -408,6 +413,13 @@ app.post("/api/instance/disk/create", async (req, res) => {
return; return;
} }
} }
// target disk must be allowed according to storage options
let resourceConfig = db.getResourceConfig();
if (!resourceConfig[req.body.storage].disks.some(diskPrefix => req.body.disk.startsWith(diskPrefix))) {
res.status(500).send({ error: `Requested target ${req.body.disk} is not in allowed list [${resourceConfig[req.body.storage].disks}].` });
res.end();
return;
}
// setup action // setup action
let action = {}; let action = {};
if (req.body.disk.includes("ide") && req.body.iso) { if (req.body.disk.includes("ide") && req.body.iso) {