yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1968343] Re: Security Group Rule create with forged integer security_group_id causes exceptions

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1968343@xxxxxxxxxxxxxxxxxx>
Date: Mon, 11 Apr 2022 13:56:40 -0000
Reply-to: Bug 1968343 <1968343@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/837168
Committed: https://opendev.org/openstack/neutron/commit/c0bf560fa36aac798ad8783749fa78ddf766bdec
Submitter: "Zuul (22348)"
Branch:    master

commit c0bf560fa36aac798ad8783749fa78ddf766bdec
Author: Andrew Karpow <andrew.karpow@xxxxxxx>
Date:   Fri Apr 8 18:32:03 2022 +0200

    Force security_group_id uuid validation of sg rules
    
    security_groups_db._check_security_group is supposed to check the
    security_group_id of the _create_security_group_rule payload.
    When using an integer e.g. 0, as security_group_id, the check
    succededs because mysql accepts following query:
    
    SELECT * FROM securitygroups WHERE id in (0)
    
    Forcing validation of security_group_id as uuid fixes the problem
    
    Closes-Bug: #1968343
    Change-Id: I7c36b09309c1ef66608afacfb281b6f4b06ea5b8


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1968343

Title:
  Security Group Rule create with forged integer security_group_id
  causes exceptions

Status in neutron:
  Fix Released

Bug description:
  Assuming a project xyz has Security Groups, following POST requests
  fails with HTTP 500 ValueError:

  /v2.0/security-group-rules
  {
  	"security_group_rule": {
  		"direction": "egress",
  		"ethertype": "IPv4",
  		"port_range_max": 443,
  		"port_range_min": 443,
  		"project_id": "xyz",
  		"protocol": "tcp",
  		"remote_ip_prefix": "34.231.24.224/32",
  		"security_group_id": 0
  	}
  }

  The value error is raised by python uuid with `badly formed hexadecimal UUID string`.
  This is because the prior validation _check_security_group in securitygroups_db.py is using 
  sg_obj.SecurityGroup.objects_exist(context, id=id) which yields true with MySQL, e.g.:

  MariaDB [neutron]> SELECT count(*) FROM securitygroups WHERE securitygroups.id IN (0);
  +----------+
  | count(*) |
  +----------+
  |       15 |
  +----------+
  1 row in set, 46 warnings (0.001 sec)

  MariaDB [neutron]> SHOW WARNINGS LIMIT 1;
  +---------+------+--------------------------------------------------------------------------+
  | Level   | Code | Message                                                                  |
  +---------+------+--------------------------------------------------------------------------+
  | Warning | 1292 | Truncated incorrect DOUBLE value: '77dd53b2-59c0-4208-b03c-9f9f65bf9a28' |
  +---------+------+--------------------------------------------------------------------------+
  1 row in set (0.000 sec)

  Thus, the validation succeeds and the code path is followed till the
  id is converted to a UUID - which causes the unexpected exception.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1968343/+subscriptions

References

[Bug 1968343] [NEW] Security Group Rule create with forged integer security_group_id causes exceptions
From: Andrew Karpow, 2022-04-08