← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1379515] [NEW] GET requests in workflows expose IDs and query parameters

 

Public bug reported:

As identified by an automated vulnerability scanner, workflow in Horizon
for instances, volumes, images, aggregates, users, etc., expose
identifiers and steps in the workflow.

Example URIs:
https://172.20.39.10/project/instances/6eb73aea-d992-4192-9506-60a20a6a5f2d/?tab=instance_details__log
https://172.20.39.10/project/volumes/ecf5e3af-52e7-4f23-a47e-fe91f469fc2c/update/
https://172.20.39.10/project/instances/launch?source_id=49a84978-914f-40f1-b886-5fa72092548a&source_type=image_id
https://172.20.39.10/admin/users/b5a25808e7cf4b74ae1007515975ca7f/update/

The best practice recommended by the vulnerability scanner report is to
change these requests to use HTTP POST.


As most traffic to Horizon should already be over HTTPS, there is likely a very low risk of leaking identifiers.

A downside to using POST is that users won't be able to bookmark into
specific resource workflow.

** Affects: horizon
     Importance: Undecided
         Status: New


** Tags: identifier parameter query workflow

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1379515

Title:
  GET requests in workflows expose IDs and query parameters

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  As identified by an automated vulnerability scanner, workflow in
  Horizon for instances, volumes, images, aggregates, users, etc.,
  expose identifiers and steps in the workflow.

  Example URIs:
  https://172.20.39.10/project/instances/6eb73aea-d992-4192-9506-60a20a6a5f2d/?tab=instance_details__log
  https://172.20.39.10/project/volumes/ecf5e3af-52e7-4f23-a47e-fe91f469fc2c/update/
  https://172.20.39.10/project/instances/launch?source_id=49a84978-914f-40f1-b886-5fa72092548a&source_type=image_id
  https://172.20.39.10/admin/users/b5a25808e7cf4b74ae1007515975ca7f/update/

  The best practice recommended by the vulnerability scanner report is
  to change these requests to use HTTP POST.

  
  As most traffic to Horizon should already be over HTTPS, there is likely a very low risk of leaking identifiers.

  A downside to using POST is that users won't be able to bookmark into
  specific resource workflow.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1379515/+subscriptions


Follow ups

References