yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #63791
[Bug 1688182] Re: quota project_id not validated
*** This bug is a duplicate of bug 1118066 ***
https://bugs.launchpad.net/bugs/1118066
** This bug has been marked a duplicate of bug 1118066
Nova should confirm quota requests against Keystone
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1688182
Title:
quota project_id not validated
Status in OpenStack Compute (nova):
New
Bug description:
The primary problem here is that the quota update and show REST apis
do not do any input validation for the project_id that gets passed in
due to which the following can be done:
1. quota can be updated against any junk value, which subsequently
gets updated into the quotas able. For eg.
PUT /v2.1/tenant-id/os-quota-sets/auctionweaver.pl
{
"quota_set": {
"ram": 5000
}
}
Response :
{
"quota_set": {
"injected_file_content_bytes": 10240,
"metadata_items": 128,
"server_group_members": 100,
"server_groups": 25,
"ram": 5000,
"floating_ips": 10,
"key_pairs": 100,
"instances": 100,
"security_group_rules": 20,
"injected_files": 5,
"cores": 550,
"fixed_ips": -1,
"injected_file_path_bytes": 255,
"security_groups": 10
}
}
The DB table for quotas has the below data which is incorrect. This
shows that there is no input validation done .
MariaDB [nova]> select * from quotas;
+----+---------------------+---------------------+------------+----------------------------------+----------------------+------------+---------+
| id | created_at | updated_at | deleted_at | project_id | resource | hard_limit | deleted |
+----+---------------------+---------------------+------------+----------------------------------+----------------------+------------+---------+
| 1 | 2017-04-19 07:46:12 | 2017-04-19 11:13:32 | NULL | auctionweaver.pl | ram | 5000 | 0 |
+----+---------------------+---------------------+------------+----------------------------------+----------------------+------------+---------+
2. I could easily replace "auctionweaver.pl" in the above example with
a valid projectid for which I don't have any role assignment and it
will work fine.
3. Point 2 is true not just in the case of an admin. It works for all
roles without prejudice.
4. There's absolutely no input validation that's done for the
project_id passed in. After updating junk values into the table, I can
retrieve those values as well:
I was able to list the nova quotas using the below invalid URL.Please
note the "id" attribute in the response.
GET /v2.1/tenant-id/os-quota-sets/sfkhdskfjhd
{
"quota_set": {
"injected_file_content_bytes": 10240,
"metadata_items": 128,
"server_group_members": 100,
"server_groups": 25,
"ram": 4096,
"floating_ips": 10,
"key_pairs": 100,
"id": "sfkhdskfjhd",
"instances": 100,
"security_group_rules": 20,
"injected_files": 5,
"cores": 100,
"fixed_ips": -1,
"injected_file_path_bytes": 255,
"security_groups": 10
}
}
5. It should be technically possible for someone to try out sql
injections using this api. Some user with non-admin privileges for a
particular project might be able to view or update quota values for
the other projects using the above mechanism.
6. This behavior is the same for cinder apis as well.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1688182/+subscriptions