yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1606500] Re: Heat: template source URL allows network port scan

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1606500@xxxxxxxxxxxxxxxxxx>
Date: Thu, 03 Nov 2016 15:55:11 -0000
Reply-to: Bug 1606500 <1606500@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/393146
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=eab9a33ce760c55695a5beb2e541487588b08c98
Submitter: Jenkins
Branch:    master

commit eab9a33ce760c55695a5beb2e541487588b08c98
Author: Daniel Gonzalez <daniel@xxxxxxxxxxxxxxxxxxxxx>
Date:   Mon Oct 17 10:22:42 2016 +0200

    Prevent template validate from scanning ports
    
    The template validation method in the heat API allows to specify the
    template to validate using a URL with the 'template_url' parameter.
    
    By entering invalid http URLs, like 'http://localhost:22' it is
    possible to scan ports by evaluating the error message of the request.
    
    For example, the request
    
    curl -H "Content-Type: application/json" -H "X-Auth-Token: <TOKEN>" \
    -X POST -d '{"template_url": "http://localhost:22"}' \
    http://127.0.0.1:8004/v1/<TENANT_ID>/validate
    
    causes the following error message to be returned to the user:
    
    "Could not retrieve template: Failed to retrieve template:
    ('Connection aborted.',
    BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))"
    
    This could be misused by tenants to gain knowledge about the internal
    network the heat API runs in.
    
    To prevent this information leak, this patch alters the error message
    to not include such details when the url scheme is not 'file'.
    
    SecurityImpact
    
    Closes-Bug: #1606500
    
    Change-Id: Id1f86f41c1e6c028d889eca7ccbb9cde67631950


** Changed in: heat
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1606500

Title:
  Heat: template source URL allows network port scan

Status in heat:
  Fix Released
Status in OpenStack Dashboard (Horizon):
  Invalid
Status in OpenStack Security Advisory:
  In Progress

Bug description:
  Launching a new Heat stack and giving the template from an URL like
  http://localhost:22

  Results in an error message like:

  ERROR: Could not retrieve template: Failed to retrieve template:
  ('Connection aborted.', BadStatusLine('SSH-2.0-OpenSSH_6.6.1\r\n',))

  This is a security issue as it allows users to scan the network for
  listening ports.

  heat CLI does not allow that:

  heat stack-create -u http://localhost:22 test
  [Errno 104] Connection reset by peer

To manage notifications about this bug go to:
https://bugs.launchpad.net/heat/+bug/1606500/+subscriptions