get_param and get_attr allow user to introspect Python objects

Fix proposed to branch: master
Review: https://review.openstack.org/73812

Was this introduced prior to the Havana release, or only during the Icehouse development cycle?

Icehouse. Very recent, not even in i2.

Excerpts from Jeremy Stanley's message of 2014-02-16 03:51:23 UTC:
> Was this introduced prior to the Havana release, or only during the
> Icehouse development cycle?
>
> ** Also affects: ossa
> Importance: Undecided
> Status: New
>
> ** Changed in: ossa
> Status: New => Incomplete
>
> --
> You received this bug notification because you are subscribed to heat.
> https://bugs.launchpad.net/bugs/1280526
>
> Title:
> get_param and get_attr allow user to introspect Python objects
>
> Status in Orchestration API (Heat):
> In Progress
> Status in OpenStack Security Advisories:
> Incomplete
>
> Bug description:
> The recent new implementations of the HOT built-in functions get_param
> and get_attr allow the user, in the same function, to select through a
> sequence of dictionary keys of list indices in the case that the
> parameter or attribute is more complex than a simple string attribute.
>
> However, for reasons unknown, it also allows the user to access
> attributes of the Python objects using getattr(). This means that the
> user could introspect any object in the system reachable by doing
> repeated getattr() calls starting with a Parameter or the result of
> FnGetAttr() of a resource.
>
> This not only exposes the user to implementation details of the system
> that we would never want to form part of the stable interface, it is
> also a major potential security threat.
>
> There is no conceivable reason to ever allow this for a parameter,
> since parameters are strongly type-checked. Furthermore, the unit
> tests are misleading because they pass a dictionary containing and
> object on which to call getattr(), when in reality the code passes a
> Parameters object and items retrieved from it are Parameter objects.
>
> Nor is there any conceivable reason for any resource's FnGetAttr() to
> return an object that can only be traversed by this method. Prior to
> this implementation of get_attr, the only way to traverse a complex
> attribute was using Fn::Select, which did not allow the use of
> getattr().
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/heat/+bug/1280526/+subscriptions

OK, then it should just get fixed in master, no advisory published (never released)

Reviewed: https://review.openstack.org/73812
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=f4dfe23bc3aec414d3c62d36a5f97acdb237e288
Submitter: Jenkins
Branch: master

commit f4dfe23bc3aec414d3c62d36a5f97acdb237e288
Author: Zane Bitter <email address hidden>
Date: Mon Feb 17 16:51:39 2014 -0500

    Prevent user introspection of Python objects

    The get_attr and get_param built-in functions in HOT allowed introspection
    of Python objects as well as traversing lists and maps, which we very much
    do not want.

    Fixes bug #1280526

    Change-Id: I5f8f4bfa37d33eb0a1df962b69a3b6e029ad0048