← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1580338] Re: create token API is not doing proper input validation

 

Reviewed:  https://review.openstack.org/404806
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d16ec35378494f06a983a4c7f8566719bcf6ac3e
Submitter: Jenkins
Branch:    master

commit d16ec35378494f06a983a4c7f8566719bcf6ac3e
Author: Brant Knudson <bknudson@xxxxxxxxxx>
Date:   Wed Nov 30 08:47:01 2016 -0600

    Validate token issue input
    
    The server wasn't validating the input to `POST /v3/auth/tokens`
    and instead allowing invalid input to be sent into the code which
    only haphazardly checked the types and values of the data, leading
    to confusing errors such as 500 Internal Server Error rather than
    400 Bad Request as expected, and also potentially security issues.
    
    Closes-Bug: 1580338
    Change-Id: I34146659ebb912485716a7d07f7ae7800a5cb9ac


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1580338

Title:
  create token API is not doing proper input validation

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  HTTP 500 being returned when the request body for POST /v3/auth/tokens
  has an empty string in place of one of the dicts that should be passed
  in. This shows that the code is not doing proper input validation. It
  should detect the user error and return an HTTP 400. Here's an example
  where project domain is "" instead of {"id": "default"}:

  # curl -1 -k -i -X POST https://localhost:5000/v3/auth/tokens -H "Accept: application/json" -H "Content-Type: application/json" -d '{"auth": {"scope": {"project": {"name": "myproj", "domain": ""}}, "identity": {"methods": ["password"], "password": {"user": {"domain": {"name": "Default"}, "name": "myuser", "password": "mypassword"}}}}}'
  HTTP/1.1 500 Internal Server Error
  Date: Tue, 10 May 2016 20:39:53 GMT
  Server: Apache
  Vary: X-Auth-Token
  x-openstack-request-id: req-a4961a66-b545-407e-9aa3-7575e38c252c
  Content-Length: 143
  Connection: close
  Content-Type: application/json

  {"error": {"message": "An unexpected error prevented the server from
  fulfilling your request.", "code": 500, "title": "Internal Server
  Error"}}

  Logs show:

  2016-05-10 16:39:53.716 2951 INFO keystone.common.wsgi [req-a4961a66-b545-407e-9aa3-7575e38c252c - - - - -] POST https://localhost:5000/v3/auth/tokens
  2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi [req-a4961a66-b545-407e-9aa3-7575e38c252c - - - - -] 'unicode' object has no attribute 'get'
  2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi Traceback (most recent call last):
  2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/common/wsgi.py", line 249, in __call__
  2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi     result = method(context, **params)
  2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 392, in authenticate_for_token
  2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi     auth_info = AuthInfo.create(context, auth=auth)
  2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 137, in create
  2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi     auth_info._validate_and_normalize_auth_data(scope_only)
  2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 305, in _validate_and_normalize_auth_data
  2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi     self._validate_and_normalize_scope_data()
  2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 247, in _validate_and_normalize_scope_data
  2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi     project_ref = self._lookup_project(self.auth['scope']['project'])
  2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 210, in _lookup_project
  2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi     domain_ref = self._lookup_domain(project_info['domain'])
  2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi   File "/usr/lib/python2.7/site-packages/keystone/auth/controllers.py", line 172, in _lookup_domain
  2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi     domain_id = domain_info.get('id')
  2016-05-10 16:39:53.717 2951 ERROR keystone.common.wsgi AttributeError: 'unicode' object has no attribute 'get'

  Note: you can also get HTTP 500 if you replace other dicts in the
  request, e.g. {"user": ""}

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1580338/+subscriptions


References