yahoo-eng-team team mailing list archive

[Matt Riedemann <mriedem.os@xxxxxxxxx>]

*** This bug is a duplicate of bug 1118066 ***
    https://bugs.launchpad.net/bugs/1118066

** This bug has been marked a duplicate of bug 1118066
   Nova should confirm quota requests against Keystone

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1688182

Title:
  quota project_id not validated

Status in OpenStack Compute (nova):
  New

Bug description:
  The primary problem here is that the quota update and show REST apis
  do not do any input validation for the project_id that gets passed in
  due to which the following can be done:

  1. quota can be updated against any junk value, which subsequently
  gets updated into the quotas able. For eg.

  PUT /v2.1/tenant-id/os-quota-sets/auctionweaver.pl

  {
      "quota_set": {
  "ram": 5000
          }
  }

  Response :

  {
      "quota_set": {
          "injected_file_content_bytes": 10240,
          "metadata_items": 128,
          "server_group_members": 100,
          "server_groups": 25,
          "ram": 5000,
          "floating_ips": 10,
          "key_pairs": 100,
          "instances": 100,
          "security_group_rules": 20,
          "injected_files": 5,
          "cores": 550,
          "fixed_ips": -1,
          "injected_file_path_bytes": 255,
          "security_groups": 10
      }
  }

  The DB table for quotas has the below data which is incorrect. This
  shows that there is no input validation done .

  MariaDB [nova]> select * from quotas;
  +----+---------------------+---------------------+------------+----------------------------------+----------------------+------------+---------+
  | id | created_at          | updated_at          | deleted_at | project_id                       | resource             | hard_limit | deleted |
  +----+---------------------+---------------------+------------+----------------------------------+----------------------+------------+---------+
  |  1 | 2017-04-19 07:46:12 | 2017-04-19 11:13:32 | NULL       | auctionweaver.pl                 | ram                  |       5000 |       0 |
  +----+---------------------+---------------------+------------+----------------------------------+----------------------+------------+---------+

  2. I could easily replace "auctionweaver.pl" in the above example with
  a valid projectid for which I don't have any role assignment and it
  will work fine.

  3. Point 2 is true not just in the case of an admin. It works for all
  roles without prejudice.

  4. There's absolutely no input validation that's done for the
  project_id passed in. After updating junk values into the table, I can
  retrieve those values as well:

  I was able to list the nova quotas using the below invalid URL.Please
  note the "id" attribute in the response.

  GET /v2.1/tenant-id/os-quota-sets/sfkhdskfjhd

  {
      "quota_set": {
          "injected_file_content_bytes": 10240,
          "metadata_items": 128,
          "server_group_members": 100,
          "server_groups": 25,
          "ram": 4096,
          "floating_ips": 10,
          "key_pairs": 100,
          "id": "sfkhdskfjhd",
          "instances": 100,
          "security_group_rules": 20,
          "injected_files": 5,
          "cores": 100,
          "fixed_ips": -1,
          "injected_file_path_bytes": 255,
          "security_groups": 10
      }
  }

  5. It should be technically possible for someone to try out sql
  injections using this api. Some user with non-admin privileges for a
  particular project might be able to view or update quota values for
  the other projects using the above mechanism.

  6. This behavior is the same for cinder apis as well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1688182/+subscriptions