Barbican

secret creation fails with large strings

Bug #1335327 reported by Douglas Mendizábal on 2014-06-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Barbican	Fix Released	High	John Vrbanac	Barbican 2014.2 "juno"

Bug Description

Failing Functional tests:

test_creating_secret_w_mode_large_string
test_creating_secret_w_large_string_values

Barbican is not validating the size of the "name", "algorithm" and "mode" values when creating a secret. When you try to create a secret and pass values that are longer than the database column size, the repo layer explodes resulting in a 500 response.

Expected Response: 201

Actual Response: 500

Steps to recreate:

POST to /secrets

{"name": "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "algorithm": "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "bit_length": 128, "mode": "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "payload_content_type": "text/plain", "payload": "secret_with_big_metadata_strings"}

See original description

John Vrbanac (john.vrbanac) on 2014-06-27

description:

updated

Douglas Mendizábal (dougmendizabal) on 2014-06-27

Changed in barbican:
status:	New → Confirmed

Douglas Mendizábal (dougmendizabal) on 2014-07-18

Changed in barbican:
importance:	Undecided → High

John Vrbanac (john.vrbanac) on 2014-09-21

Changed in barbican:
assignee:	nobody → John Vrbanac (john.vrbanac)

Revision history for this message

John Vrbanac (john.vrbanac) wrote on 2014-09-26:

Discussed with John Wood regarding the appropriate status code responses. It seems like the appropriate code should be a 400 as a single field is just too long and not that the request is too long. I'll add a limits in the jsonschema validation and few functional tests around oversized name, algorithm, and mode fields.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-26: Fix proposed to barbican (master)

Fix proposed to branch: master
Review: https://review.openstack.org/124514

Changed in barbican:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-30: Fix merged to barbican (master)

Reviewed: https://review.openstack.org/124514
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=92b7bed898fa2440463dc3b7c69e06c1115182e3
Submitter: Jenkins
Branch: master

commit 92b7bed898fa2440463dc3b7c69e06c1115182e3
Author: John Vrbanac <email address hidden>
Date: Fri Sep 26 16:22:33 2014 -0500

Adding size limits for create secret json fields

Setting maxLength for name, algorithm, mode, expiration,
payload_content_type, and payload_content_encoding fields.

Payload size is already validated through other means.

Change-Id: Id48c5ca9e7af6e8a49591787a58427255eee10b7
Closes-Bug: #1335327

Changed in barbican:
status:	In Progress → Fix Committed

Douglas Mendizábal (dougmendizabal) on 2014-09-30

Changed in barbican:
milestone:	none → juno-rc1

Thierry Carrez (ttx) on 2014-10-07

Changed in barbican:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in barbican:
milestone:	juno-rc1 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.