Before this change, Ironic did not filter file:// paths when used as an
image source except to ensure they were a file (and not, e.g. a
character device). This is problematic from a security perspective
because you could end up with config files from well-known paths being
written to disk on a node.
Now, we forbid any path that provides access to system configuration,
including /dev, /sys, /proc, /boot, /run, and /etc. Additionally, we've
added an allowlist configuration item which limits the acceptable paths
under which images will be pulled to a list provided by the operator.
The allowlist default list is huge, but it includes all known usages of
file:// URLs across Bifrost, Ironic, Metal3, and OpenShift in both CI
and default configuration.
Generated-by: Jetbrains Junie
Closes-bug: 2107847
Change-Id: I2fa995439ee500f9dd82ec8ccfa1a25ee8e1179c
5fddef982c