Comment 182 for bug 1996188

Reviewed: https://review.opendev.org/c/openstack/glance/+/871621
Committed: https://opendev.org/openstack/glance/commit/9a98c4a7d1358cdae009cc8fb6377160a126ea7b
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 9a98c4a7d1358cdae009cc8fb6377160a126ea7b
Author: Dan Smith <email address hidden>
Date: Mon Dec 19 15:00:35 2022 +0000

    Enforce image safety during image_conversion

    This does two things:

    1. It makes us check that the QCOW backing_file is unset on those
    types of images. Nova and Cinder do this already to prevent an
    arbitrary (and trivial to accomplish) host file exposure exploit.
    2. It makes us restrict VMDK files to only allowed subtypes. These
    files can name arbitrary files on disk as extents, providing the
    same sort of attack. Default that list to just the types we believe
    are actually useful for openstack, and which are monolithic.

    The configuration option to specify allowed subtypes is added in
    glance's config and not in the import options so that we can extend
    this check later to image ingest. The format_inspector can tell us
    what the type and subtype is, and we could reject those images early
    and even in the case where image_conversion is not enabled.

    Closes-Bug: #1996188
    Change-Id: Idf561f6306cebf756c787d8eefdc452ce44bd5e0
    (cherry picked from commit 0d6282a01691cecc2798f7858b181c4bb30f850c)
    (cherry picked from commit 4967ab6935cfd0274ae801ac943d01909a236a0a)
    (cherry picked from commit dc8e5a5cc7f5e9d1b697e520a7533cc90516db1b)
    (cherry picked from commit f45b5f024e765f0000884dfec5ac222124cfbc6d)