Comment 15 for bug 1496277
Revision history for this message
| Steven Hardy (shardy) wrote Re: template-validate may read server local files | #15 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Hey Angus, yeah I realize there are limitations with the validation in it's current form, which basically doesn't work at all with nested stacks - wouldn't it be better to just skip them completely rather than trying to load random files which may not bear any relation to what the user expects (e.g, how does a user of a public cloud heat have *any* idea what's in /etc/templates of their provider?)
That's one reason why I've been reworking validate to work more like create/preview:
https:/
Here, we actually pass the files map, so we can safely do nested validation:
https:/
I think this is a better long-term direction, but it obviously doesn't solve the sort term requirement for a backportable quick fix.
In the tests above - are those being done directly via curl, or using heatclient? Because we probably have fixes to do in the client too, e.g because AFAICT the trick with the comment #.yaml works there too:
https:/
https:/
$ cat bad_tmpl.yaml
heat_template_
resources:
test:
type: /etc/passwd#.yaml
If you do heat --debug template-validate bad_tmp.yaml you'll see that we read passwd and send it in the files map (even though we know current heat ignores the files at the API level.
I guess this latter case is more a safeguard against users doing something stupid, but we should probably make it more robust if possible.