Kingbird

No proper validation for url path in curl-request.

Bug #1654569 reported by Goutham Pratapa
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Kingbird
Fix Released
Undecided
Goutham Pratapa

Bug Description

In the present implementation of kingbird there is no proper validation for the url path of the Curl request.

If we change first part of any request's url path

i.e <admin_tenant_id/tenant_id>/<os-quota-sets/os-quota-class-sets/os-sync>/

with

<dummy/fake/anything>/<os-quota-sets/os-quota-class-sets/os-sync>/

It produces output.

Eg:

Here i used curl request which gives default quotas.

http://$kb_ip_addr:8118/v1.0/$admin_tenant_id/os-quota-sets/tenant-id/<detail/sync/defaults> to

http://$<kb-ip>:8118/v1.0/dummy/os-quota-sets/tenant-id/<detail/sync/defaults>

Curl- Request :

export TOKEN=`curl -si -d @/home/ubuntu/69.11_backup/kb_curls/token-request.json -H "Content-type: application/json" http://<kb-ip>:35357/v3/auth/tokens| awk '/X-Subject-Token/ {print $2}'`

curl -H "Content-Type: application/json" -H "X-Auth-Token: $TOKEN" http://<kb-ip>:8118/v1.0/dummy/os-quota-sets/defaults

Token_request.json:

{
            "auth": {
                "identity": {
                    "methods": [
                        "password"
                    ],
                    "password": {
                        "user": {
                            "domain": {
                                "name": "Default"
                            },
                            "name": "demo",
                            "password": "xxxxxx"
                        }
                    }
                },
                "scope": {
                    "project": {
                        "domain": {
                            "name": "Default"
                        },
                        "name": "demo"
                    }
                }
            }
        }

Generated Output:

$bash default-quota-class.sh
{"quota_set": {"metadata_items": 128, "subnet": 10, "network": 10, "floatingip": 50, "gigabytes": 1000, "backup_gigabytes": 1000, "ram": 51200, "floating_ips": 10, "snapshots": 10, "security_group_rule": 100, "instances": 10, "key_pairs": 100, "volumes": 10, "cores": 20, "security_group": 10, "router": 10, "backups": 10, "fixed_ips": -1, "port": 10, "security_groups": 20}}

Expected-Result:

400 Bad Request

Invalid request URL

Sudheer Kalla (sudheer-kalla)
Changed in kingbird:
status: New → Confirmed
Goutham Pratapa (pratapagoutham)
Changed in kingbird:
status: Confirmed → In Progress
assignee: nobody → Goutham Pratapa (pratapagoutham)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kingbird (master)

Fix proposed to branch: master
Review: https://review.openstack.org/418317

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on kingbird (master)

Change abandoned by Goutham Pratapa (<email address hidden>) on branch: master
Review: https://review.openstack.org/418317

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kingbird (master)

Reviewed: https://review.openstack.org/415235
Committed: https://git.openstack.org/cgit/openstack/kingbird/commit/?id=ef2c5de3a8b3642ecf13a21715bf288e30f47672
Submitter: Jenkins
Branch: master

commit ef2c5de3a8b3642ecf13a21715bf288e30f47672
Author: Goutham Pratapa <email address hidden>
Date: Tue Dec 27 19:30:11 2016 +0530

    Restrict & validate KB-tenants to view own quotas

    Currently Non-admin tenants can view quota of other tenants.
    With this change we can restrict such actions by throwing exception
    "Admin required". Added test_cases for the same.

    Currently there is no validation for the url in the Curl Request.
    With this change we can validate the URL and restrict such actions.
    Added test_cases and made compatible for tempest.

    closes-bug: 1652747
    closes-bug: 1654569

    Change-Id: Ia27801e61004b1aef6397db8f6bfa183761949a4

Changed in kingbird:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.