Cinder

WsgiLimiterProxy code looks suspect

Bug #1823750 reported by Eric Harney on 2019-04-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	Fix Released	Undecided	Rajat Dhasmana
	OpenStack Shared File Systems Service (Manila)	Fix Released	Low	Goutham Pacha Ravi	OpenStack Shared File Systems Service (Manila) victoria-3

Bug Description

WsgiLimiterProxy check_for_delay() has the following:

if http_client.OK >= resp.status < http_client.MULTIPLE_CHOICES:

Ignoring that the intent of this to check for 2xx responses was obfuscated by the refactoring done here: https://review.openstack.org/#/c/426748/ , the logic here is wrong.

This translates to
if 200 >= resp.status < 300

Which is equivalent to
if resp.status <= 200

which means that the MULTIPLE_CHOICES/300 test is meaningless.

I assume this was supposed to be
if 200 <= resp.status < 300

to look for 2xx returns. I'm not sure what the impact of this is.

See original description

Tags:

Eric Harney (eharney) on 2019-04-08

description:

updated

Tom Barron (tpb) on 2019-04-11

Changed in manila:
status:	New → Confirmed

Jason Grosso (jgrosso) on 2019-04-18

tags:

added: low-hanging-fruit

Keerthi Reddy (keerthigd) on 2019-06-22

information type:

Public → Public Security

Revision history for this message

Jeremy Stanley (fungi) wrote on 2019-06-22:

Please don't switch a bug to Public Security (or Private Security) without first explaining why you suspect it represents a security vulnerability.

information type:

Public Security → Public

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-07-04: Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.opendev.org/669124

Changed in cinder:
assignee:	nobody → Rajat Dhasmana (whoami-rajat)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-08-27: Change abandoned on cinder (master)

Change abandoned by Rajat Dhasmana (<email address hidden>) on branch: master
Review: https://review.opendev.org/669124

Revision history for this message

Vida Haririan (vhariria) wrote on 2020-08-27:

Additional comments http://eavesdrop.openstack.org/meetings/manila/2020/manila.2020-08-27-15.01.log.html

Revision history for this message

Goutham Pacha Ravi (gouthamr) wrote on 2020-08-27:

Hi,

The change on Cinder was abandoned, and so I suspect you agree that this isn't a bug in Cinder (as well)...

Summarizing from the discussion Vida pointed to above:

This check:

200 >= resp.status < 300

effectively checks if

resp.status ∈ [200, 299)

which means, "is the response from the WSGILimiterProxy service a 2xx status code [1]?"
The way this is written, the WsgiLimiterProxy that we're hitting returns a non 2xx when the API request must be rate limited. As such, I don't see any problem with this logic.

So, I'm setting this bug to Invalid, If you think otherwise, please let me know! :)

[1] https://tools.ietf.org/html/rfc7231#page-47

Changed in manila:
status:	Confirmed → Invalid

Revision history for this message

Goutham Pacha Ravi (gouthamr) wrote on 2020-08-27:

I'll answer myself here,

I should have run the code to test, I apologize - thankfully another Manila contributor did fact check me just now:

http://paste.openstack.org/show/797216/

for resp.status ∈ [200, 299), this check must be "200 <= resp.status < 300"

Changed in manila:
status:	Invalid → New

Revision history for this message

Rajat Dhasmana (whoami-rajat) wrote on 2020-08-27:

Hi Goutham,

The reason of me abandoning it was i didn't want to continue work on it.

Sorry for not being clear about it but since this has been causing some confusion, I've updated the logic to be more readable.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-08-27: Fix proposed to manila (master)

Fix proposed to branch: master
Review: https://review.opendev.org/748493

Changed in manila:
assignee:	nobody → Goutham Pacha Ravi (gouthamr)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-08-28: Fix merged to manila (master)

Reviewed: https://review.opendev.org/748493
Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=090d903b707e0dd84c7cd68cf15476356ce5a83f
Submitter: Zuul
Branch: master

commit 090d903b707e0dd84c7cd68cf15476356ce5a83f
Author: Goutham Pacha Ravi <email address hidden>
Date: Thu Aug 27 10:31:22 2020 -0700

Fix WsgiLimiterProxy check

    The code in the WsgiLimiterProxy checks the response
    from the proxy to be in the range [200, 299] to
    determine if an API request must be rate limited, but
    the check currently corresponds to checking for <=200.

    This may not have been consequential since a Proxy
    is not expected to set the "X-Wait-Seconds" header in
    the response when there is nothing to delay - so, even
    with this incorrect check, we weren't rate limiting
    incorrectly with a proxy that was setup correctly.

    Change-Id: Id58a87b24b19e1d489fe808d11d59cc93df390f2
    Closes-Bug: #1823750
    Signed-off-by: Goutham Pacha Ravi <email address hidden>

Changed in manila:
status:	In Progress → Fix Released

Goutham Pacha Ravi (gouthamr) on 2020-09-01

Changed in manila:
importance:	Undecided → Low
milestone:	none → victoria-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-09-28: Fix merged to cinder (master)

#10

Reviewed: https://review.opendev.org/669124
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=d72f738c014fc76596d2f323e94cdb0e97116e71
Submitter: Zuul
Branch: master

commit d72f738c014fc76596d2f323e94cdb0e97116e71
Author: whoami-rajat <email address hidden>
Date: Thu Jul 4 15:14:29 2019 +0530

Correcting the response status range in WsgiLimiterProxy

    The response status should lie between 200 and 300 but the operator
    used makes the condition true when response status is <= 200.
    This patch corrects the same.

Change-Id: I7368eb7674642032b1313afe900b5f36f8ab0dea
Closes-Bug: #1823750