yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1794767] Re: Horizon exposes url in Swift error message

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1794767@xxxxxxxxxxxxxxxxxx>
Date: Tue, 02 Oct 2018 14:52:47 -0000
Reply-to: Bug 1794767 <1794767@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/605731
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=4d6a1b327a033b5252317a9e35b664f2155cc2a2
Submitter: Zuul
Branch:    master

commit 4d6a1b327a033b5252317a9e35b664f2155cc2a2
Author: BubaVV <markov.vadim@xxxxxxxxx>
Date:   Thu Sep 27 16:58:58 2018 +0300

    Hide Swift network info in Horizon error message
    
    In case of error Swift API return some details about unsuccessful
    request, i.e. internal IP, full object pass, etc. This response is not
    processed by Horizon and presented to user as-is, which is potentially
    insecure. Proposed patch adds error processing striping network location
    from error message
    
    Change-Id: Ieef9669a1be3ed7bbc685a457eb1fe86b34c3c7e
    Closes-bug: #1794767


** Changed in: horizon
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1794767

Title:
  Horizon exposes url in Swift error message

Status in OpenStack Dashboard (Horizon):
  Fix Released

Bug description:
  Horizon can be made to expose internal data structures from HTTP
  requests, this a security hazard.

  See for example:

  GET /api/swift/containers/test01s/metadata/nonexistantFile.txt HTTP/1.1
  Host: example.com
  ...

  Response:

  HTTP/1.1 404 Not Found
  Date: Tue, 11 Sep 2018 19:30:11 GMT
  Server: Apache/2.4.18 (Ubuntu)
  Content-Length: 98
  Vary: Accept-Language,Cookie
  X-Frame-Options: SAMEORIGIN
  Content-Language: en
  Content-Type: application/json

  "Object HEAD failed:
  http://123.456.789.012:8080/swift/v1/test01s/nonexistantFile.txt 404
  Not Found"

  ---------

  Note, the Object Store endpoint configured on the /project/api_access
  page as "http://example.com:8080/swift/v1";, so exposing the internal
  url is incorrect.

  It should return smth like:
  "Object HEAD failed: http://example.com:8080/swift/v1/test01s/nonexistantFile.txt 404 Not Found" , or just hide url at all

  To reproduce:
  1. Log into Horizon with Firefox
  2. Open up Web Developer Tools
  3. Navigate to Project -> Object Store -> Containers
  4. pick a GET from the Network tab in developer tool that is for /api/swift/containers, copy it as cUrl and append "test01s/metadata/nonexistantFile.txt" onto the end of the URL.

  Note you need to do this quickly otherwise the auth token will expire. If that happens just refresh page and edit request quickly.
  5. Observe url present in response

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1794767/+subscriptions

References

[Bug 1794767] [NEW] Horizon exposes url in Swift error message
From: Vadym Markov, 2018-09-27