← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #60578

[Bug 1656482] Re: GET /resource_providers?member_of does not validate the value is a uuid

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/420272
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=c17772e1f202c9ffb651adc3299a1990c35766f3
Submitter: Jenkins
Branch:    master

commit c17772e1f202c9ffb651adc3299a1990c35766f3
Author: Matt Riedemann <mriedem@xxxxxxxxxx>
Date:   Fri Jan 13 21:42:07 2017 -0500

    placement: validate member_of values are uuids
    
    The 1.3 microversion adds the member_of query parameter
    for listing resource providers which are members of
    one or more aggregates based on the aggregate uuids. However
    the REST API handler code is simply parsing and passing the
    member_of values through to the object code which is doing a
    SQL IN statement which will result in no resource providers if
    an invalidate aggregate uuid is provided, i.e. not actually a
    uuid.
    
    This patch adds simple uuid validation to the handler code
    that's parsing the member_of query parameter.
    
    Change-Id: I912f731e0d75979aea0a0f22c15e6cfb84a95050
    Closes-Bug: #1656482


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1656482

Title:
  GET /resource_providers?member_of does not validate the value is a
  uuid

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  The 1.3 microversion of the placement API adds a member_of query
  string parameter to the /resource_providers handler and the values are
  meant to be aggregate uuids, but the REST API handler code simply
  parses the query string and passes the filter through to the DB API
  query code, which is doing a simple aggregate.uuid IN [values] query.
  For something that's not a uuid it's just going to result in no
  results and return an empty list, but the REST API should be stricter
  about the actual member_of values being uuids.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1656482/+subscriptions

References

  Thread PreviousDate PreviousThread Next