OpenStack Dashboard (Horizon)

Potential XSS in image create modal or angular table

Bug #1622690 reported by Daniel Castellanos
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
High
Richard Jones
OpenStack Dashboard (Horizon) newton-rc1 "rc1"
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

The Image Create modal allows you to create an image sending unencoded HTML and JavaScript. This could lead to a potential XSS attack

Steps to reproduce:

1. Go to project>images
2. Click on "Create image"
3. In the "Image Name" input enter some HTML code or script code (i.e <h1>This is bad</h1>, <script>alert('This is bad');</script>)
4. Fill in other required fields
5. Click on 'Create Image'

Expected Result:
The image is created but the name is safely encoded and it's shown in the table as it was written

Actual Result:
The image name is not encoded an therefore is being rendered as HTML by the browser.

See original description
Jeremy Stanley (fungi)
Changed in ossa:
status: New → Incomplete
description: updated
Daniel Castellanos (luis-daniel-castellanos)
description: updated
Revision history for this message
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Jeremy Stanley (fungi)
description: updated
David Lyle (david-lyle)
Changed in horizon:
status: New → Confirmed
importance: Undecided → High
milestone: none → newton-rc1
Revision history for this message
Grant Murphy (gmurphy) wrote :

I reproduced this on devstack.

Changed in ossa:
status: Incomplete → Confirmed
Revision history for this message
Richard Jones (r1chardj0n3s) wrote :

Verified and patch to fix is attached.

Revision history for this message
Rob Cresswell (robcresswell-deactivatedaccount) wrote :

Patch works correctly, thanks Richard. Need a second review then we can merge ASAP.

This code was added in https://github.com/openstack/horizon/commit/146256f8c71d209c2ead178d3d5c0d902c5e8846 (July 5th) so shouldn't need a backport.

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Since this isn't affecting any release (and it seems it isn't since the offending commit is only in 10.0.0.0b2 and 10.0.0.0b3 tags), then there is no need for embargo. Feel free to open this bug report, submit the patch directly to gerrit and request for a Newton FFE.

Thank you for the fast feedback.

Revision history for this message
Rob Cresswell (robcresswell-deactivatedaccount) wrote :

Despite this not being in formally released code, I would not open this. Some teams run fairly close to master, and since we have a valid patch, we may as well keep it hidden until said patch is merged, no?

I realise that isn't strictly the policy, but it just seems a sensible course of action.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Fair enough, though it should be switched to public shortly before the fix mentioning this bug is pushed into public code review. Also the OpenStack VMT as policy doesn't request CVE assignment nor publish security advisories for vulnerabilities in unreleased software so I'm switching the OSSA task to won't fix... class Y (Vulnerability only found in development release) in our report taxonomy: https://security.openstack.org/vmt-process.html#incident-report-taxonomy

Changed in ossa:
status: Confirmed → Won't Fix
Revision history for this message
David Lyle (david-lyle) wrote :

+2 on #3 from me. Verified and is a clean fix.

Revision history for this message
Richard Jones (r1chardj0n3s) wrote :

As I understand the process, not getting a CVE means we just skip that step and go straight to opening the bug and getting the patch up to merge.

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Rob, the patch alone seems enough to understand the security issue so I'm in favor of switching this report to public as the patch is submitted to public gerrit. This will make the "Closes-Bug" commit message reference to properly update the launchpad report and it'll probably be easier to fast-track the FFE like that.

Revision history for this message
Richard Jones (r1chardj0n3s) wrote :

The fix has been merged as https://review.openstack.org/#/c/369779/

David Lyle (david-lyle)
Changed in horizon:
status: Confirmed → Fix Committed
assignee: nobody → Richard Jones (r1chardj0n3s)
David Lyle (david-lyle)
information type: Private Security → Public Security
Jeremy Stanley (fungi)
description: updated
Rob Cresswell (robcresswell-deactivatedaccount)
Changed in horizon:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/horizon 10.0.0.0rc1

This issue was fixed in the openstack/horizon 10.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.