← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1968343] [NEW] Security Group Rule create with forged integer security_group_id causes exceptions

 

Public bug reported:

Assuming a project xyz has Security Groups, following POST requests
fails with HTTP 500 ValueError:

/v2.0/security-group-rules
{
	"security_group_rule": {
		"direction": "egress",
		"ethertype": "IPv4",
		"port_range_max": 443,
		"port_range_min": 443,
		"project_id": "xyz",
		"protocol": "tcp",
		"remote_ip_prefix": "34.231.24.224/32",
		"security_group_id": 0
	}
}

The value error is raised by python uuid with `badly formed hexadecimal UUID string`.
This is because the prior validation _check_security_group in securitygroups_db.py is using 
sg_obj.SecurityGroup.objects_exist(context, id=id) which yields true with MySQL, e.g.:

MariaDB [neutron]> SELECT count(*) FROM securitygroups WHERE securitygroups.id IN (0);
+----------+
| count(*) |
+----------+
|       15 |
+----------+
1 row in set, 46 warnings (0.001 sec)

MariaDB [neutron]> SHOW WARNINGS LIMIT 1;
+---------+------+--------------------------------------------------------------------------+
| Level   | Code | Message                                                                  |
+---------+------+--------------------------------------------------------------------------+
| Warning | 1292 | Truncated incorrect DOUBLE value: '77dd53b2-59c0-4208-b03c-9f9f65bf9a28' |
+---------+------+--------------------------------------------------------------------------+
1 row in set (0.000 sec)

Thus, the validation succeeds and the code path is followed till the id
is converted to a UUID - which causes the unexpected exception.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1968343

Title:
  Security Group Rule create with forged integer security_group_id
  causes exceptions

Status in neutron:
  New

Bug description:
  Assuming a project xyz has Security Groups, following POST requests
  fails with HTTP 500 ValueError:

  /v2.0/security-group-rules
  {
  	"security_group_rule": {
  		"direction": "egress",
  		"ethertype": "IPv4",
  		"port_range_max": 443,
  		"port_range_min": 443,
  		"project_id": "xyz",
  		"protocol": "tcp",
  		"remote_ip_prefix": "34.231.24.224/32",
  		"security_group_id": 0
  	}
  }

  The value error is raised by python uuid with `badly formed hexadecimal UUID string`.
  This is because the prior validation _check_security_group in securitygroups_db.py is using 
  sg_obj.SecurityGroup.objects_exist(context, id=id) which yields true with MySQL, e.g.:

  MariaDB [neutron]> SELECT count(*) FROM securitygroups WHERE securitygroups.id IN (0);
  +----------+
  | count(*) |
  +----------+
  |       15 |
  +----------+
  1 row in set, 46 warnings (0.001 sec)

  MariaDB [neutron]> SHOW WARNINGS LIMIT 1;
  +---------+------+--------------------------------------------------------------------------+
  | Level   | Code | Message                                                                  |
  +---------+------+--------------------------------------------------------------------------+
  | Warning | 1292 | Truncated incorrect DOUBLE value: '77dd53b2-59c0-4208-b03c-9f9f65bf9a28' |
  +---------+------+--------------------------------------------------------------------------+
  1 row in set (0.000 sec)

  Thus, the validation succeeds and the code path is followed till the
  id is converted to a UUID - which causes the unexpected exception.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1968343/+subscriptions



Follow ups