OpenStack Heat

Parameters to "create" are not validated in heat-cfn-api

Bug #1317667 reported by Zane Bitter on 2014-05-08

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Heat	Fix Released	Critical	andersonvom	OpenStack Heat 2014.2 "juno"

Bug Description

The change https://review.openstack.org/#/c/88444/ moved validation of the input parameters to stack_create and stack_update from the engine to heat-api. This means that parameters passed to heat-cfn-api are no longer validated.

This could a major security hole, since it allows users to pass arbitrary arguments to the constructor of parser.Stack.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-05-08: Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/92919

Changed in heat:
assignee:	nobody → Zane Bitter (zaneb)
status:	New → In Progress

Zane Bitter (zaneb) on 2014-05-08

Changed in heat:
status:	In Progress → Triaged
assignee:	Zane Bitter (zaneb) → nobody
assignee:	nobody → Jason Dunsmore (jasondunsmore)
milestone:	none → juno-1

Revision history for this message

Jeremy Stanley (fungi) wrote on 2014-05-09:

Marking this incomplete for OSSA as a safety precaution, but just to confirm it looks to me like the bug was introduced after the Icehouse release, and so hasn't actually appeared in any stable release where an advisory would be warranted. Is that correct?

Changed in ossa:
status:	New → Incomplete

Revision history for this message

Jason Dunsmore (jasondunsmore) wrote on 2014-05-09:

That is correct Jeremy. Thanks.

OpenStack Infra (hudson-openstack) on 2014-05-09

Changed in heat:
status:	Triaged → In Progress

Jeremy Stanley (fungi) on 2014-05-09

no longer affects:

ossa

OpenStack Infra (hudson-openstack) on 2014-05-20

Changed in heat:
assignee:	Jason Dunsmore (jasondunsmore) → andersonvom (andersonvom)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-05-20: Fix merged to heat (master)

Reviewed: https://review.openstack.org/92919
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=5d1b4ab3e947f2974060a82208e08abd4b1fdac3
Submitter: Jenkins
Branch: master

commit 5d1b4ab3e947f2974060a82208e08abd4b1fdac3
Author: Jason Dunsmore <email address hidden>
Date: Fri May 9 09:31:12 2014 -0500

Move API parameter parsing from OpenStack API to engine

    In commit 4169c1bd8ce4db0a794e22471994ea401b77b9c0, the API parameter
    parsing was moved to the OpenStack API. Since then, inputs to the CFN
    API were not being validated, creating a security hole.

Change-Id: I21920591075bcefbe695316dab6605afd6f4ec64
Closes-Bug: #1317667

Changed in heat:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-06-11

Changed in heat:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in heat:
milestone:	juno-1 → 2014.2

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.