yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2026775] [NEW] Metadata agents do not parse X-Forwarded-For headers properly

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Brian Haley <2026775@xxxxxxxxxxxxxxxxxx>
Date: Mon, 10 Jul 2023 20:06:13 -0000
Reply-to: Bug 2026775 <2026775@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

While looking at an unrelated issue I noticed log lines like this in the
neutron-ovn-metadata-agent log file:

  No port found in network b62452f3-ec93-4cd7-af2d-9f9eabb33b12 with IP
address 10.246.166.21,10.131.84.23

While it might seem harmless, looking at the code it only showed a
single value being logged:

  LOG.error("No port found in network %s with IP address %s",
network_id, remote_address)

The code in question is looking for a matching IP address, but will
never match the concatenated string.

Google shows the additional IP address(es) that might be present in this
header are actually proxies:

  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-
For

And sure enough in my case the second IP was always the same.

The code needs to be changed to account for proxies, which aren't
actually necessary to lookup what port is making the request, but it
could be logged for posterity.

I'll send a change for that soon.

** Affects: neutron
     Importance: Medium
     Assignee: Brian Haley (brian-haley)
         Status: In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2026775

Title:
  Metadata agents do not parse X-Forwarded-For headers properly

Status in neutron:
  In Progress

Bug description:
  While looking at an unrelated issue I noticed log lines like this in
  the neutron-ovn-metadata-agent log file:

    No port found in network b62452f3-ec93-4cd7-af2d-9f9eabb33b12 with
  IP address 10.246.166.21,10.131.84.23

  While it might seem harmless, looking at the code it only showed a
  single value being logged:

    LOG.error("No port found in network %s with IP address %s",
  network_id, remote_address)

  The code in question is looking for a matching IP address, but will
  never match the concatenated string.

  Google shows the additional IP address(es) that might be present in
  this header are actually proxies:

    https://developer.mozilla.org/en-
  US/docs/Web/HTTP/Headers/X-Forwarded-For

  And sure enough in my case the second IP was always the same.

  The code needs to be changed to account for proxies, which aren't
  actually necessary to lookup what port is making the request, but it
  could be logged for posterity.

  I'll send a change for that soon.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2026775/+subscriptions