yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1570694] Re: potentially unsafe use of shell commands

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Andrey Kurilin <andr.kurilin@xxxxxxxxx>
Date: Wed, 20 Apr 2016 13:09:42 -0000
Reply-to: Bug 1570694 <1570694@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** No longer affects: rally

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1570694

Title:
  potentially unsafe use of shell commands

Status in neutron:
  Invalid
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Hello, I'm reviewing neutron-vpnaas for including into Ubuntu main and had
  some questions.

  Most of my concern lies in one file:
  http://git.openstack.org/cgit/openstack/neutron-vpnaas/tree/rally-jobs/plugins/vpn_utils.py

  This file extensively calls sudo with string-constructed command lines
  with no parameter quoting of any kind. This allows easy shell injection
  problems.

  I can't decide if this is a security issue or not:

  - If this is intended to be used by the cloud 'owner' and only the owner,
    then it's probably fine as-is, though may suffer reliability issues.

  - If this is intended to allow individual tenants in the cloud to manage
    their own virtual machines, this _may_ be fine as-is, though may suffer
    reliability problems.

  - If this is intended to allow individual tenants in the cloud to manage
    cloud-owned networking machines, this package needs immediate attention
    from the openstack security team.

  Just search for 'sudo' in that file and I think the issue will be
  immediately obvious. Here's a few examples I collected for my notes,
  though they came from Ubuntu's packaging so may differ slightly:

    - cmd = "sudo ip netns exec {} ip a".format(namespace)
      interfaces = execute_cmd_over_ssh(controller, cmd, private_key)

    - cmd = "sudo ip netns exec {} ping -w {} -c {} {}".format(
          namespace, 2 * count, count, router_gw_ip)
      return ping(controller, cmd, private_key)

    - for key, ns_comp in zip(remote_key_files, ns_compute_tuples):
         cmd = "sudo rm -f {}".format(key)
         host = ns_comp[1]
         execute_cmd_over_ssh(host, cmd, private_key)

    - cmd = ("sudo ssh-keygen -f /root/.ssh/known_hosts -R"
             " {}".format(host))
      execute_cmd_over_ssh(compute_host, cmd, private_key)

  Thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1570694/+subscriptions