yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1986545] Re: websockfiy open redirection unit test broken with Python >= 3.10.6 standard lib

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1986545@xxxxxxxxxxxxxxxxxx>
Date: Tue, 30 Aug 2022 15:24:49 -0000
Reply-to: Bug 1986545 <1986545@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/nova/+/853379
Committed: https://opendev.org/openstack/nova/commit/15769b883ed4a86d62b141ea30d3f1590565d8e0
Submitter: "Zuul (22348)"
Branch:    master

commit 15769b883ed4a86d62b141ea30d3f1590565d8e0
Author: melanie witt <melwittt@xxxxxxxxx>
Date:   Tue Aug 16 06:49:53 2022 +0000

    Adapt websocketproxy tests for SimpleHTTPServer fix
    
    In response to bug 1927677 we added a workaround to
    NovaProxyRequestHandler to respond with a 400 Bad Request if an open
    redirect is attempted:
    
      Ie36401c782f023d1d5f2623732619105dc2cfa24
      I95f68be76330ff09e5eabb5ef8dd9a18f5547866
    
    Recently in python 3.10.6, a fix has landed in cpython to respond with
    a 301 Moved Permanently to a sanitized URL that has had extra leading
    '/' characters removed.
    
    This breaks our existing unit tests which assume a 400 Bad Request as
    the only expected response.
    
    This adds handling of a 301 Moved Permanently response and asserts that
    the redirect location is the expected sanitized URL. Doing this instead
    of checking for a given python version will enable the tests to continue
    to work if and when the cpython fix gets backported to older python
    versions.
    
    While updating the tests, the opportunity was taken to commonize the
    code of two unit tests that were nearly identical.
    
    Related-Bug: #1927677
    Closes-Bug: #1986545
    
    Change-Id: I27441d15cc6fa2ff7715ba15aa900961aadbf54a


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1986545

Title:
  websockfiy open redirection unit test broken with Python >= 3.10.6
  standard lib

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  Lucas Nussbaum reported this Debian bug:

  https://bugs.debian.org/1017217

  so I started investigating it. It took me a while to understand it was
  due to a change in the Python 3.10.6 standard http/server.py library.

  Running these 2 unit tests against Python 3.10.5 works:

  test_websocketproxy.NovaProxyRequestHandlerTestCase.test_reject_open_redirect
  console.test_websocketproxy.NovaProxyRequestHandlerTestCase.test_reject_open_redirect_3_slashes

  However, under Python 3.10.6, this fails. The reason isn't the
  interpreter itself, but the standard library, which has additional
  open redirection protection.

  Looking at the changelog here:
  https://docs.python.org/3/whatsnew/changelog.html

  we see this issue:
  https://github.com/python/cpython/issues/87389

  which has been addressed by this commit:
  https://github.com/python/cpython/commit/defaa2b19a9a01c79c1d5641a8aa179bb10ead3f

  If I "fix" the Python 3.10.5 standard library using the 2 lines of
  code of the first hunk of this patch, then I can reproduce the issue.

  I guess that the unit testing should be skipped if using Python >=
  3.10.6, probably, or adapted somehow. I leave this to the Nova
  maintainers: for the Debian package, I'll just skip these 2 unit
  tests.

  Cheers,

  Thomas Goirand (zigo)

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1986545/+subscriptions

References

[Bug 1986545] [NEW] websockfiy open redirection unit test broken with Python >= 3.10.6 standard lib
From: Thomas Goirand, 2022-08-15