Cause: Dashboard was allowing "/" in its snapshot name.
Consequence: As a result, user was able to enter snapshot name containing "/'" in it.
Fix: With the fix, the snapshot name cannot start with "." and cannot contain "/" and "@".
Result: Snapshot name cannot start with "." and cannot contain "/" and "@".
Description of problem:
Ceph Dashboard allows creation of snapshot that contains "/" in the name, however, it's not possible to create such an object using the Ceph CLI e.g.
[ceph: root@ceph-plugin-4a /]# rbd snap create vsp-rbd/test3@hello/world
rbd: invalid spec 'vsp-rbd/test3@hello/world'
[ceph: root@ceph-plugin-4a /]#
Version-Release number of selected component (if applicable): 8.0
How reproducible: Can be easily reproduced.
Steps to Reproduce:
1. Use the dashboard and create a snapshot with snapshot name containing "/".
2. Verify that the object is created.
3. Now try the same via the "rbd" CLI and it'll give the following error: rbd: invalid spec
Actual results:
Dashboard allows names with "/".
Expected results:
The dashboard allows "/" in snapshot name but the same is not possible via the CLI in a default setup. It seems that the dashboard is setting some extra options before invoking the "rbd" command which then bypasses the naming checks.
The code for the rbd CLI suggests that validation should match the following and it seems the dashboard is enabling the spec criteria that's set to "SPEC_VALIDATION_NONE":
int extract_spec(const std::string &spec, std::string *pool_name,
std::string *namespace_name, std::string *name,
std::string *snap_name, SpecValidation spec_validation) {
if (!g_ceph_context->_conf.get_val<bool>("rbd_validate_names")) {
spec_validation = SPEC_VALIDATION_NONE;
}
std::regex pattern;
switch (spec_validation) {
case SPEC_VALIDATION_FULL:
// disallow "/" and "@" in all names
pattern = "^(?:([^/@]+)/(?:([^/@]+)/)?)?([^/@]+)(?:@([^/@]+))?$";
break;
case SPEC_VALIDATION_SNAP:
// disallow "/" and "@" in snap name
pattern = "^(?:([^/]+)/(?:([^/@]+)/)?)?([^@]+)(?:@([^/@]+))?$";
break;
case SPEC_VALIDATION_NONE:
// relaxed pattern assumes pool is before first "/",
// namespace is before second "/", and snap name is after first "@"
pattern = "^(?:([^/]+)/(?:([^/@]+)/)?)?([^@]+)(?:@(.+))?$";
break;
default:
ceph_abort();
break;
}
Additional info:
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Red Hat Ceph Storage 8.0 security, bug fix, and enhancement updates), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2024:10216
Description of problem: Ceph Dashboard allows creation of snapshot that contains "/" in the name, however, it's not possible to create such an object using the Ceph CLI e.g. [ceph: root@ceph-plugin-4a /]# rbd snap create vsp-rbd/test3@hello/world rbd: invalid spec 'vsp-rbd/test3@hello/world' [ceph: root@ceph-plugin-4a /]# Version-Release number of selected component (if applicable): 8.0 How reproducible: Can be easily reproduced. Steps to Reproduce: 1. Use the dashboard and create a snapshot with snapshot name containing "/". 2. Verify that the object is created. 3. Now try the same via the "rbd" CLI and it'll give the following error: rbd: invalid spec Actual results: Dashboard allows names with "/". Expected results: The dashboard allows "/" in snapshot name but the same is not possible via the CLI in a default setup. It seems that the dashboard is setting some extra options before invoking the "rbd" command which then bypasses the naming checks. The code for the rbd CLI suggests that validation should match the following and it seems the dashboard is enabling the spec criteria that's set to "SPEC_VALIDATION_NONE": int extract_spec(const std::string &spec, std::string *pool_name, std::string *namespace_name, std::string *name, std::string *snap_name, SpecValidation spec_validation) { if (!g_ceph_context->_conf.get_val<bool>("rbd_validate_names")) { spec_validation = SPEC_VALIDATION_NONE; } std::regex pattern; switch (spec_validation) { case SPEC_VALIDATION_FULL: // disallow "/" and "@" in all names pattern = "^(?:([^/@]+)/(?:([^/@]+)/)?)?([^/@]+)(?:@([^/@]+))?$"; break; case SPEC_VALIDATION_SNAP: // disallow "/" and "@" in snap name pattern = "^(?:([^/]+)/(?:([^/@]+)/)?)?([^@]+)(?:@([^/@]+))?$"; break; case SPEC_VALIDATION_NONE: // relaxed pattern assumes pool is before first "/", // namespace is before second "/", and snap name is after first "@" pattern = "^(?:([^/]+)/(?:([^/@]+)/)?)?([^@]+)(?:@(.+))?$"; break; default: ceph_abort(); break; } Additional info: