OpenStack Compute (nova)

Validation of Timestamp/Expires for ec2 query parameters is not correct

Bug #1036343 reported by Roland Hochmuth on 2012-08-13

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
OpenStack Compute (nova)	Fix Released	High	Sirisha Devineni	OpenStack Compute (nova) 2013.1 "grizzly"
oslo-incubator	Fix Released	Undecided	Sirisha Devineni	oslo-incubator grizzly-1 "g1"
Grizzly	Fix Released	Undecided	Sirisha Devineni	oslo-incubator 2013.1 "grizzly"

Bug Description

It doesn't appear that the the Timestamp query parameter for ec2 requests is completely validated or used. Looking at the class "Requestify" in ../nova/api/ec2/__init__.py There are several potential issues:

1. Only Timestamp is tested for, but Expires isn't.
2. The format of the Timestamp is not tested for.
3. The value of the Timestamp is not tested to be within some time delta.

The AWS documentation states at this link

http://docs.amazonwebservices.com/AWSEC2/latest/APIReference/Query-Common-Parameters.html

"Requests must include either Timestamp or Expires, but cannot contain both" and "The date and time at which the request is signed, in the format YYYY-MM-DDThh:mm:ssZ" which addresses points 1 and 2 above.

The AWS documentation at this link and others

http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/Error_Messages.html

states,

"Why do I get keep getting "Request has expired" errors?

To reduce the risk of replay attacks, our requests include a timestamp. This and the most important parts of the request are signed to ensure the message (including the timestamp) cannot be modified without detection.

If the difference between the timestamp in the request and the time on our servers is larger than 5 minutes, the request is too old (or too new) and an error is returned.

You need to ensure that your system clock is accurate and configured to use the correct time zone. For more information, go to NTP."

Looking at the code in Requestify and searching the rest of the code base for use of "Timestamp" I don't any places where Timestamp is used or tested. It seems like this is a potential security related issue.

Tags:

Andrew James (ajames) on 2012-08-13

Changed in nova:
assignee:	nobody → Andrew James (ajames)

Thierry Carrez (ttx) on 2012-08-22

Changed in nova:
importance:	Undecided → High
status:	New → Confirmed
tags:	added: ec2

Revision history for this message

Joe Gordon (jogo) wrote on 2012-09-11:

@Andrew, are you still working on this?

Revision history for this message

Andrew James (ajames) wrote on 2012-09-12:

I am not actively working on this and it's ok if you reassign to someone else. Otherwise, I will plan to complete this as time allows.

It seems this kind of 'validation' needs to be done in Requestify rather than Validate. It would be nice if a fix for this cleaned up the logic in Requestify as a side effect.

Revision history for this message

Roland Hochmuth (roland-hochmuth) wrote on 2012-09-12:

Hi Andrew, I'll take it.

Changed in nova:
assignee:	Andrew James (ajames) → Roland Hochmuth (roland-hochmuth-s)

Sirisha Devineni (sirisha-devineni) on 2012-09-17

Changed in nova:
assignee:	Roland Hochmuth (roland-hochmuth-s) → Sirisha Devineni (sirisha-devineni)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-09-18: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/13194

Changed in nova:
status:	Confirmed → In Progress

Sirisha Devineni (sirisha-devineni) on 2012-10-09

Changed in openstack-common:
status:	New → In Progress

Mark McLoughlin (markmc) on 2012-10-11

Changed in openstack-common:
assignee:	nobody → Sirisha Devineni (sirisha-devineni)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-10-11: Fix merged to openstack-common (master)

Reviewed: https://review.openstack.org/14199
Committed: http://github.com/openstack/openstack-common/commit/85bed287461036745afe6a4c623e546c52641b1e
Submitter: Jenkins
Branch: master

commit 85bed287461036745afe6a4c623e546c52641b1e
Author: Sirisha Devineni <email address hidden>
Date: Tue Oct 9 17:33:35 2012 +0530

Added is_newer_than function

    Added is_newer_than function to compare if the provided
    time is newer than current time for specified number of
    seconds

Fixes bug 1036343

Change-Id: Ic133b0e7e2337b6b0fdad244ded6a93f8db48379

Changed in openstack-common:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-10-29: Fix merged to nova (master)

Reviewed: https://review.openstack.org/13194
Committed: http://github.com/openstack/nova/commit/1056677bb6e5bda331270100b577f085cd0b5067
Submitter: Jenkins
Branch: master

commit 1056677bb6e5bda331270100b577f085cd0b5067
Author: Sirisha Devineni <email address hidden>
Date: Tue Sep 18 14:11:45 2012 +0530

Validates Timestamp or Expiry time in EC2 requests

    Validating the format of Timestamp/Expires in the EC2 requests
    and checking for the expiry of the request. 'ec2_timestamp_expiry'
    flag is the time in seconds before ec2 timestamp expires.

Fixes bug 1036343

Change-Id: I2b63d85dc1d658a58ceda67c0dfd0a8eac807577

Changed in nova:
status:	In Progress → Fix Committed

Mark McLoughlin (markmc) on 2012-11-06

affects:

openstack-common → oslo

Thierry Carrez (ttx) on 2012-11-21

Changed in nova:
milestone:	none → grizzly-1
status:	Fix Committed → Fix Released

Mark McLoughlin (markmc) on 2012-12-03

Changed in oslo:
milestone:	none → grizzly-1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-04-04

Changed in nova:
milestone:	grizzly-1 → 2013.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.