yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2077541] Re: CredentialNotFound not caught and enumerating credentials using the EC2_S3_Resource

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2077541@xxxxxxxxxxxxxxxxxx>
Date: Fri, 14 Feb 2025 16:35:39 -0000
Reply-to: Bug 2077541 <2077541@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/keystone/+/934727
Committed: https://opendev.org/openstack/keystone/commit/ae4e54148a2b3594c7cb246c50ba956dce52fdc3
Submitter: "Zuul (22348)"
Branch:    master

commit ae4e54148a2b3594c7cb246c50ba956dce52fdc3
Author: Tobias Urdin <tobias.urdin@xxxxxxxxxx>
Date:   Tue Nov 12 09:51:24 2024 +0100

    Unify response code for EC2_S3_Resource
    
    When looking up the credential we dont catch the
    CredentialNotFound exception which causes us to
    return a 404 Not Found response code to the client
    which is fine, but since we dont catch it we also
    output the entire exception to stderr.
    
    This changes so that we instead catch the
    CredentialNotFound exception and raise a
    NotFound exception which retains the behaviour
    but does not pollute the logs with long tracebacks.
    
    This also addresses a security concern if the
    credential is found but is of the wrong type we
    throw an Unauthorized response code but say in
    the message that the "EC2 access key is not found",
    this could potentially be used for doing a enumeration
    attack trying to figure out if a credential exists
    or not.
    
    To fix this we change the response code from
    Unauthorized to Not Found which makes it impossible
    to know which part of the code raised the error
    from the outside.
    
    Closes-Bug: #2077541
    Change-Id: I0ffeaf032ccdfcd99da27719cf90451a5855af81


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2077541

Title:
  CredentialNotFound not caught and enumerating credentials using the
  EC2_S3_Resource

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  I'm reporting this a security related bug just in case, if it's
  unsuitable for that just let me know and I'll push the patch directly
  upstream.

  Below is from commit msg:

      When looking up the credential we dont catch the
      CredentialNotFound exception which causes us to
      return a 404 Not Found response code to the client
      which is fine, but since we dont catch it we also
      output the entire exception to stderr.

      This changes so that we instead catch the
      CredentialNotFound exception and raise a
      NotFound exception which retains the behaviour
      but does not pollute the logs with long tracebacks.

      This also addresses a security concern if the
      credential is found but is of the wrong type we
      throw an Unauthorized response code but say in
      the message that the "EC2 access key is not found",
      this could potentially be used for doing a enumeration
      attack trying to figure out if a credential exists
      or not.

      To fix this we change the response code from
      Unauthorized to Not Found which makes it impossible
      to know which part of the code raised the error
      from the outside.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2077541/+subscriptions