Add parameters "backups.allowed_path" and "backups.allowed_disk" to config.

src/Backups/BackupInDirectory.cpp

@@ -14,6 +14,34 @@ namespace ErrorCodes
     extern const int NUMBER_OF_ARGUMENTS_DOESNT_MATCH;
 }
 
+namespace
+{
+    /// Checks multiple keys "key", "key[1]", "key[2]", and so on in the configuration
+    /// and find out if some of them have matching value.
+    bool findConfigKeyWithMatchingValue(const Poco::Util::AbstractConfiguration & config, const String & key, const std::function<bool(const String & value)> & match_function)
+    {
+        String current_key = key;
+        size_t counter = 0;
+        while (config.has(current_key))
+        {
+            if (match_function(config.getString(current_key)))
+                return true;
+            current_key = key + "[" + std::to_string(++counter) + "]";
+        }
+        return false;
+    }
+
+    bool isDiskAllowed(const String & disk_name, const Poco::Util::AbstractConfiguration & config)
+    {
+        return findConfigKeyWithMatchingValue(config, "backups.allowed_disk", [&](const String & value) { return value == disk_name; });
+    }
+
+    bool isPathAllowed(const String & path, const Poco::Util::AbstractConfiguration & config)
+    {
+        return findConfigKeyWithMatchingValue(config, "backups.allowed_path", [&](const String & value) { return path.starts_with(value); });
+    }
+}
+
 
 BackupInDirectory::BackupInDirectory(
     const String & backup_name_,
@@ -25,10 +53,12 @@ BackupInDirectory::BackupInDirectory(
     : BackupImpl(backup_name_, open_mode_, context_, base_backup_info_)
     , disk(disk_), path(path_)
 {
+    /// Path to backup must end with '/'
     if (path.back() != '/')
         throw Exception(ErrorCodes::BAD_ARGUMENTS, "Backup {}: Path to backup must end with '/', but {} doesn't.", getName(), quoteString(path));
     dir_path = fs::path(path).parent_path(); /// get path without terminating slash
 
+    /// If `disk` is not specified, we create an internal instance of `DiskLocal` here.
     if (!disk)
     {
         auto fspath = fs::path{dir_path};
@@ -99,6 +129,9 @@ void registerBackupEngineFile(BackupFactory & factory)
             }
 
             path = args[0].safeGet<String>();
+
+            if (!isPathAllowed(path, params.context->getConfigRef()))
+                throw Exception(ErrorCodes::BAD_ARGUMENTS, "Path {} is not allowed for backups", path);
         }
         else if (engine_name == "Disk")
         {
@@ -108,9 +141,13 @@ void registerBackupEngineFile(BackupFactory & factory)
                     "Backup engine 'Disk' requires 2 arguments (disk_name, path)",
                     ErrorCodes::NUMBER_OF_ARGUMENTS_DOESNT_MATCH);
             }
+
             String disk_name = args[0].safeGet<String>();
             disk = params.context->getDisk(disk_name);
             path = args[1].safeGet<String>();
+
+            if (!isDiskAllowed(disk_name, params.context->getConfigRef()))
+                throw Exception(ErrorCodes::BAD_ARGUMENTS, "Disk {} is not allowed for backups", disk_name);
         }
 
         return std::make_shared<BackupInDirectory>(backup_name, params.open_mode, disk, path, params.context, params.base_backup_info);

src/Backups/BackupInDirectory.h

@@ -13,6 +13,7 @@ using DiskPtr = std::shared_ptr<IDisk>;
 class BackupInDirectory : public BackupImpl
 {
 public:
+    /// `disk`_ is allowed to be nullptr and that means the `path_` is a path in the local filesystem.
     BackupInDirectory(
         const String & backup_name_,
         OpenMode open_mode_,

tests/integration/test_backup_restore_new/configs/backups_disk.xml

@@ -8,4 +8,8 @@
             </backups>
         </disks>
     </storage_configuration>
+    <backups>
+        <allowed_disk>backups</allowed_disk>
+        <allowed_path>/backups/</allowed_path>
+    </backups>
 </clickhouse>