yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1379515] [NEW] GET requests in workflows expose IDs and query parameters

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Chris Jones <chris@xxxxxxxxxxxxxxx>
Date: Thu, 09 Oct 2014 20:48:12 -0000
Reply-to: Bug 1379515 <1379515@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

As identified by an automated vulnerability scanner, workflow in Horizon
for instances, volumes, images, aggregates, users, etc., expose
identifiers and steps in the workflow.

Example URIs:
https://172.20.39.10/project/instances/6eb73aea-d992-4192-9506-60a20a6a5f2d/?tab=instance_details__log
https://172.20.39.10/project/volumes/ecf5e3af-52e7-4f23-a47e-fe91f469fc2c/update/
https://172.20.39.10/project/instances/launch?source_id=49a84978-914f-40f1-b886-5fa72092548a&source_type=image_id
https://172.20.39.10/admin/users/b5a25808e7cf4b74ae1007515975ca7f/update/

The best practice recommended by the vulnerability scanner report is to
change these requests to use HTTP POST.


As most traffic to Horizon should already be over HTTPS, there is likely a very low risk of leaking identifiers.

A downside to using POST is that users won't be able to bookmark into
specific resource workflow.

** Affects: horizon
     Importance: Undecided
         Status: New


** Tags: identifier parameter query workflow

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1379515

Title:
  GET requests in workflows expose IDs and query parameters

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  As identified by an automated vulnerability scanner, workflow in
  Horizon for instances, volumes, images, aggregates, users, etc.,
  expose identifiers and steps in the workflow.

  Example URIs:
  https://172.20.39.10/project/instances/6eb73aea-d992-4192-9506-60a20a6a5f2d/?tab=instance_details__log
  https://172.20.39.10/project/volumes/ecf5e3af-52e7-4f23-a47e-fe91f469fc2c/update/
  https://172.20.39.10/project/instances/launch?source_id=49a84978-914f-40f1-b886-5fa72092548a&source_type=image_id
  https://172.20.39.10/admin/users/b5a25808e7cf4b74ae1007515975ca7f/update/

  The best practice recommended by the vulnerability scanner report is
  to change these requests to use HTTP POST.

  
  As most traffic to Horizon should already be over HTTPS, there is likely a very low risk of leaking identifiers.

  A downside to using POST is that users won't be able to bookmark into
  specific resource workflow.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1379515/+subscriptions

Follow ups

[Bug 1379515] Re: GET requests in workflows expose IDs and query parameters
From: Launchpad Bug Tracker, 2015-01-12
[Bug 1379515] [NEW] GET requests in workflows expose IDs and query parameters
From: Chris Jones, 2014-10-09

References

[Bug 1379515] [NEW] GET requests in workflows expose IDs and query parameters
From: Chris Jones, 2014-10-09