yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #50521
[Bug 1580338] [NEW] create token API is not doing proper input validation
Public bug reported:
HTTP 500 being returned when the request body for POST /v3/auth/tokens
has an empty string in place of one of the dicts that should be passed
in. This shows that the code is not doing proper input validation. It
should detect the user error and return an HTTP 400. Here's an example
where project domain is "" instead of {"id": "default"}:
# curl -1 -k -i -X POST https://localhost:5000/v3/auth/tokens -H "Accept: application/json" -H "Content-Type: application/json" -d '{"auth": {"scope": {"project": {"name": "myproj", "domain": ""}}, "identity": {"methods": ["password"], "password": {"user": {"domain": {"name": "Default"}, "name": "myuser", "password": "mypassword"}}}}}'
HTTP/1.1 500 Internal Server Error
Date: Tue, 10 May 2016 20:39:53 GMT
Server: Apache
Vary: X-Auth-Token
x-openstack-request-id: req-a4961a66-b545-407e-9aa3-7575e38c252c
Content-Length: 143
Connection: close
Content-Type: application/json
{"error": {"message": "An unexpected error prevented the server from
fulfilling your request.", "code": 500, "title": "Internal Server
Error"}}
Logs show:
2016-05-10 16:39:53.716 2951 INFO keystone.common.wsgi [req-a4961a66-b545-407e-9aa3-7575e38c252c - - - - -] POST https://localhost:5000/v3/auth/tokens
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi [req-a4961a66-b545-407e-9aa3-7575e38c252c - - - - -] 'unicode' object has no attribute 'get'
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi Traceback (most recent call last):
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 249, in __call__
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi result = method(context, **params)
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 392, in authenticate_for_token
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi auth_info = AuthInfo.create(context, auth=auth)
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 137, in create
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi auth_info._validate_and_normalize_auth_data(scope_only)
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 305, in _validate_and_normalize_auth_data
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi self._validate_and_normalize_scope_data()
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 247, in _validate_and_normalize_scope_data
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi project_ref = self._lookup_project(self.auth['scope']['project'])
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 210, in _lookup_project
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi domain_ref = self._lookup_domain(project_info['domain'])
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 172, in _lookup_domain
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi domain_id = domain_info.get('id')
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi AttributeError: 'unicode' object has no attribute 'get'
Note: you can also get HTTP 500 if you replace other dicts in the
request, e.g. {"user": ""}
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1580338
Title:
create token API is not doing proper input validation
Status in OpenStack Identity (keystone):
New
Bug description:
HTTP 500 being returned when the request body for POST /v3/auth/tokens
has an empty string in place of one of the dicts that should be passed
in. This shows that the code is not doing proper input validation. It
should detect the user error and return an HTTP 400. Here's an example
where project domain is "" instead of {"id": "default"}:
# curl -1 -k -i -X POST https://localhost:5000/v3/auth/tokens -H "Accept: application/json" -H "Content-Type: application/json" -d '{"auth": {"scope": {"project": {"name": "myproj", "domain": ""}}, "identity": {"methods": ["password"], "password": {"user": {"domain": {"name": "Default"}, "name": "myuser", "password": "mypassword"}}}}}'
HTTP/1.1 500 Internal Server Error
Date: Tue, 10 May 2016 20:39:53 GMT
Server: Apache
Vary: X-Auth-Token
x-openstack-request-id: req-a4961a66-b545-407e-9aa3-7575e38c252c
Content-Length: 143
Connection: close
Content-Type: application/json
{"error": {"message": "An unexpected error prevented the server from
fulfilling your request.", "code": 500, "title": "Internal Server
Error"}}
Logs show:
2016-05-10 16:39:53.716 2951 INFO keystone.common.wsgi [req-a4961a66-b545-407e-9aa3-7575e38c252c - - - - -] POST https://localhost:5000/v3/auth/tokens
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi [req-a4961a66-b545-407e-9aa3-7575e38c252c - - - - -] 'unicode' object has no attribute 'get'
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi Traceback (most recent call last):
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 249, in __call__
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi result = method(context, **params)
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 392, in authenticate_for_token
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi auth_info = AuthInfo.create(context, auth=auth)
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 137, in create
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi auth_info._validate_and_normalize_auth_data(scope_only)
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 305, in _validate_and_normalize_auth_data
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi self._validate_and_normalize_scope_data()
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 247, in _validate_and_normalize_scope_data
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi project_ref = self._lookup_project(self.auth['scope']['project'])
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 210, in _lookup_project
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi domain_ref = self._lookup_domain(project_info['domain'])
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 172, in _lookup_domain
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi domain_id = domain_info.get('id')
2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi AttributeError: 'unicode' object has no attribute 'get'
Note: you can also get HTTP 500 if you replace other dicts in the
request, e.g. {"user": ""}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1580338/+subscriptions
Follow ups
