Mirantis OpenStack

[Horizon] Can not delete container with XSS-injected name

Bug #1466044 reported by Kyrylo Romanenko
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Fix Released
Medium
Vlad Okhrimenko
Mirantis OpenStack 7.0
6.1.x
Won't Fix
Medium
MOS Horizon
Mirantis OpenStack 6.1
7.0.x
Fix Released
Medium
Vlad Okhrimenko
Mirantis OpenStack 7.0

Bug Description

Steps:
1. Login to Horizon Dashboard as admin user.
2. Navigate to Project -> Object Store -> Containers page.
3. Create Containers with names:
    3.1 '';!--"<XSS>=&{()}
    3.2 <IMG SRC="javascript:alert('XSS');">
    3.3 <IMG SRC=javascript:alert('XSS')>

4. Try to delete these containers.
dashboard.log snippet:
ClientException: Container GET failed: http://172.16.0.2:8080/swift/v1/None?format=json&limit=10000&delimiter=/ 404 Not Found {"Code":"NoSuchBucket"}
<139>Jun 17 10:35:09 node-1 dashboard-django.request: ERROR Internal Server Error: /horizon/project/containers/

Configuration:
Juno on Ubuntu 14.04.1
1 Controller+CephOSD
1 Compute+CephOSD
1 Storage+CephOSD
Ceph RadosGW for objects (Swift API), Ceph RBD for volumes and Images
Neutron with VLAN segmentation

VERSION:
  feature_groups:
    - mirantis
  production: "docker"
  release: "6.1"
  openstack_version: "2014.2.2-6.1"
  api: "1.0"
  build_number: "522"
  build_id: "2015-06-16_13-53-26"
  nailgun_sha: "fa8dec50f3df2626c97f6c38a897cf4e0f80b39d"
  python-fuelclient_sha: "4fc55db0265bbf39c369df398b9dc7d6469ba13b"
  astute_sha: "1ea8017fe8889413706d543a5b9f557f5414beae"
  fuel-library_sha: "3528dddbd0c961290909d5e3e256f55ff75cd2fc"
  fuel-ostf_sha: "8fefcf7c4649370f00847cc309c24f0b62de718d"
  fuelmain_sha: "42020c36d6dec9fedf61faa68aa3674156d41977"

Tags: horizon swift
Revision history for this message
Kyrylo Romanenko (kromanenko) wrote :
Revision history for this message
Kyrylo Romanenko (kromanenko) wrote :
Revision history for this message
Kyrylo Romanenko (kromanenko) wrote :
Revision history for this message
Dmitry Mescheryakov (dmitrymex) wrote :

@Kyrylo, did you check if containers are deletable with swift client via CLI?

Changed in mos:
status: New → Incomplete
Revision history for this message
Kyrylo Romanenko (kromanenko) wrote :

Swift clients with CLI works. For example i deleted container <IMG SRC=javascript:alert('XSS')>
# swift delete '<IMG SRC=javascript:alert('\''XSS'\'')>'

Revision history for this message
Dmitry Mescheryakov (dmitrymex) wrote :

Ok, then I consider it to be medium importance since there is a clear workaround.

Changed in mos:
status: Incomplete → Confirmed
importance: High → Medium
Revision history for this message
Vlad Okhrimenko (vokhrimenko) wrote :

upstream bug https://bugs.launchpad.net/horizon/+bug/1469147

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/horizon (openstack-ci/fuel-7.0/2015.1.0)

Fix proposed to branch: openstack-ci/fuel-7.0/2015.1.0
Change author: Kuo-tung Kao <email address hidden>
Review: https://review.fuel-infra.org/9653

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix merged to openstack/horizon (openstack-ci/fuel-7.0/2015.1.0)

Reviewed: https://review.fuel-infra.org/9653
Submitter: mos-infra-ci <>
Branch: openstack-ci/fuel-7.0/2015.1.0

Commit: d07ba18fd3b740043746fe382651f02679354f6f
Author: Kuo-tung Kao <email address hidden>
Date: Mon Jul 20 14:23:00 2015

delete failed when object id with special char.

Can not delete container or object when their id with special char
like "'", "_".

example name:

1. '';!--"<XSS>=&{()}
2. <IMG SRC="javascript:alert('XSS');">

cherry-pick from 41d7e0d730ea6f9220f77e31cf7b48875b0ec3e9
Closes-Bug: #1466044

Change-Id: I14385ecc800880f23d944a2511fa625ed842dce8

Revision history for this message
Oleksiy Butenko (obutenko) wrote :

verified on {"build_id": "2015-07-23_10-59-34", "build_number": "82", "release_versions": {"2015.1.0-7.0": {"VERSION": {"build_id": "2015-07-23_10-59-34", "build_number": "82", "api": "1.0", "fuel-library_sha": "58d94955479aee4b09c2b658d90f57083e668ce4", "nailgun_sha": "d1087923e45b0e6d946ce48cb05a71733e1ac113", "feature_groups": ["mirantis"], "openstack_version": "2015.1.0-7.0", "fuel-agent_sha": "bc25d3b728e823e6154bac0442f6b88747ac48e1", "production": "docker", "python-fuelclient_sha": "471948c26a8c45c091c5593e54e6727405136eca", "astute_sha": "b1f37a988e097175cbbd14338286017b46b584c3", "fuel-ostf_sha": "94a483c8aba639be3b96616c1396ef290dcc00cd", "release": "7.0", "fuelmain_sha": "68871248453b432ecca0cca5a43ef0aad6079c39"}}}, "auth_required": true, "api": "1.0", "fuel-library_sha": "58d94955479aee4b09c2b658d90f57083e668ce4", "nailgun_sha": "d1087923e45b0e6d946ce48cb05a71733e1ac113", "feature_groups": ["mirantis"], "openstack_version": "2015.1.0-7.0", "fuel-agent_sha": "bc25d3b728e823e6154bac0442f6b88747ac48e1", "production": "docker", "python-fuelclient_sha": "471948c26a8c45c091c5593e54e6727405136eca", "astute_sha": "b1f37a988e097175cbbd14338286017b46b584c3", "fuel-ostf_sha": "94a483c8aba639be3b96616c1396ef290dcc00cd", "release": "7.0", "fuelmain_sha": "68871248453b432ecca0cca5a43ef0aad6079c39"}

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/horizon (openstack-ci/fuel-8.0/liberty)

Fix proposed to branch: openstack-ci/fuel-8.0/liberty
Change author: Kuo-tung Kao <email address hidden>
Review: https://review.fuel-infra.org/13361

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on openstack/horizon (openstack-ci/fuel-8.0/liberty)

Change abandoned by Paul Karikh <email address hidden> on branch: openstack-ci/fuel-8.0/liberty
Review: https://review.fuel-infra.org/13361

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.