get_param and get_attr allow user to introspect Python objects
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Heat |
Fix Released
|
Critical
|
Zane Bitter | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
The recent new implementations of the HOT built-in functions get_param and get_attr allow the user, in the same function, to select through a sequence of dictionary keys of list indices in the case that the parameter or attribute is more complex than a simple string attribute.
However, for reasons unknown, it also allows the user to access attributes of the Python objects using getattr(). This means that the user could introspect any object in the system reachable by doing repeated getattr() calls starting with a Parameter or the result of FnGetAttr() of a resource.
This not only exposes the user to implementation details of the system that we would never want to form part of the stable interface, it is also a major potential security threat.
There is no conceivable reason to ever allow this for a parameter, since parameters are strongly type-checked. Furthermore, the unit tests are misleading because they pass a dictionary containing and object on which to call getattr(), when in reality the code passes a Parameters object and items retrieved from it are Parameter objects.
Nor is there any conceivable reason for any resource's FnGetAttr() to return an object that can only be traversed by this method. Prior to this implementation of get_attr, the only way to traverse a complex attribute was using Fn::Select, which did not allow the use of getattr().
Changed in heat: | |
status: | Fix Committed → Fix Released |
Changed in heat: | |
milestone: | icehouse-3 → 2014.1 |
Fix proposed to branch: master /review. openstack. org/73812
Review: https:/