Bug 761205

Summary: Repositories with nested relative paths shouldn't be allowed by Pulp
Product: [Retired] Pulp Reporter: Jay Dobies <jason.dobies>
Component: user-experienceAssignee: Jay Dobies <jason.dobies>
Status: CLOSED CURRENTRELEASE QA Contact: Preethi Thomas <pthomas>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 1.0.0CC: jmatthew
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-24 20:14:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 744250    

Description Jay Dobies 2011-12-07 21:14:50 UTC 
This came up while looking into https://bugzilla.redhat.com/show_bug.cgi?id=744250

I'm not sure it should have been allowed to create repositories with the relative paths:
foo/bar/baz
foo/bar

That basically means that in the foo/bar repository, there will be a directory baz that contains an entirely separate repository. 

My gut feeling is that it feels wrong. Part of me feels like the user probably didn't intend that, but there may be use cases for it that I'm not realizing.

I suspect this will cause problems with security in some capacity depending on which of the two are secured and how they are secured. I'm not 100% sure it's an issue, but it feels like one.

This also runs the risk where the "baz" portion of the first repository conflicts with a file/directory of the same name in the foo/bar directory. Unlikely, yes, but if we allow it it's a possibility with varying degrees of brokenness resulting.

Note that this is different than the case of two repositories:
foo/bar/wombat
foo/bar/zombie

That should be allowed, the real example there being i386 and x86_64 versions of a repository.
Comment 1 Jay Dobies 2011-12-09 16:08:21 UTC 
commit a3a05c905e89ad766c9d5fe2299639c7d0b37c14
Author: Jay Dobies <jason.dobies>
Date:   Fri Dec 9 09:44:31 2011 -0500

    Refinements to the relative path validation logic

src/pulp/server/api/repo.py
test/unit/test_repo_api.py


= CLI output for a bad relative path =

-> pulp-admin repo create --id test3 --relativepath foo/bar
error: operation failed: PulpException: New relative path [foo/bar] conflicts with existing relative path [foo]; relative paths may not be a parent or child directory of another relative path



= To simulate a failed migrate =

I made two repositories with safe relative paths (the CLI won't let you create bad ones anymore). I had to manually go into mongo's shell and dork with the relative paths to trigger the error message (simulating existing bad data). Here is the command I used:

db.repos.update( {"_id" : "test2"}. {$set : {"relative_path" : "foo"}})

For reference, my test1 repository had relative path foo/bar



= Sample output of a failed migrate =

-> sudo pulp-migrate 

Repository [test2] with relative path [foo] conflicts with repository [test1] with
relative path [foo/bar]. Relative paths may not be a parent or child directory of
another relative path. Please correct the listed repositories.

database migration to version 32 complete
Comment 2 Pradeep Kilambi 2011-12-09 20:05:05 UTC 
*** Bug 654713 has been marked as a duplicate of this bug. ***
Comment 3 Jeff Ortel 2011-12-15 20:18:23 UTC 
build: 0.255
Comment 4 Preethi Thomas 2011-12-20 16:18:25 UTC 
[root@preethi ~]# rpm -q pulp
pulp-0.0.255-1.fc15.noarch
[root@preethi ~]# 



[root@preethi ~]# pulp-admin repo create --id=test --relativepath=foo/
Successfully created repository [ test ]

[root@preethi ~]# 
[root@preethi ~]# pulp-admin repo create --id=test1 --relativepath=foo/bar
error:  error: operation failed: PulpException: New relative path [foo/bar] conflicts with existing relative path [foo]; paths may not be a parent or child directory of another relative path
Comment 5 Preethi Thomas 2012-02-24 20:14:58 UTC 
Pulp v1.0 is released
Closed Current Release.
Comment 6 Preethi Thomas 2012-02-24 20:19:52 UTC 
Pulp v1.0 is released.