neutron

Security Group Rule create with forged integer security_group_id causes exceptions

Bug #1968343 reported by Andrew Karpow
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Unassigned

Bug Description

Assuming a project xyz has Security Groups, following POST requests fails with HTTP 500 ValueError:

/v2.0/security-group-rules
{
 "security_group_rule": {
  "direction": "egress",
  "ethertype": "IPv4",
  "port_range_max": 443,
  "port_range_min": 443,
  "project_id": "xyz",
  "protocol": "tcp",
  "remote_ip_prefix": "34.231.24.224/32",
  "security_group_id": 0
 }
}

The value error is raised by python uuid with `badly formed hexadecimal UUID string`.
This is because the prior validation _check_security_group in securitygroups_db.py is using
sg_obj.SecurityGroup.objects_exist(context, id=id) which yields true with MySQL, e.g.:

MariaDB [neutron]> SELECT count(*) FROM securitygroups WHERE securitygroups.id IN (0);
+----------+
| count(*) |
+----------+
| 15 |
+----------+
1 row in set, 46 warnings (0.001 sec)

MariaDB [neutron]> SHOW WARNINGS LIMIT 1;
+---------+------+--------------------------------------------------------------------------+
| Level | Code | Message |
+---------+------+--------------------------------------------------------------------------+
| Warning | 1292 | Truncated incorrect DOUBLE value: '77dd53b2-59c0-4208-b03c-9f9f65bf9a28' |
+---------+------+--------------------------------------------------------------------------+
1 row in set (0.000 sec)

Thus, the validation succeeds and the code path is followed till the id is converted to a UUID - which causes the unexpected exception.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/837146

Changed in neutron:
status: New → In Progress
Andrew Karpow (andyonce)
Changed in neutron:
assignee: nobody → Andrew Karpow (andyonce)
Rodolfo Alonso (rodolfo-alonso-hernandez)
Changed in neutron:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/837168

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/neutron/+/837308

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/neutron/+/837309

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/neutron/+/837330

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/neutron/+/837332

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/neutron/+/837333

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/neutron/+/837334

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/837168
Committed: https://opendev.org/openstack/neutron/commit/c0bf560fa36aac798ad8783749fa78ddf766bdec
Submitter: "Zuul (22348)"
Branch: master

commit c0bf560fa36aac798ad8783749fa78ddf766bdec
Author: Andrew Karpow <email address hidden>
Date: Fri Apr 8 18:32:03 2022 +0200

    Force security_group_id uuid validation of sg rules

    security_groups_db._check_security_group is supposed to check the
    security_group_id of the _create_security_group_rule payload.
    When using an integer e.g. 0, as security_group_id, the check
    succededs because mysql accepts following query:

    SELECT * FROM securitygroups WHERE id in (0)

    Forcing validation of security_group_id as uuid fixes the problem

    Closes-Bug: #1968343
    Change-Id: I7c36b09309c1ef66608afacfb281b6f4b06ea5b8

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/837309
Committed: https://opendev.org/openstack/neutron/commit/afe3ba73ea1b2c3c244050d672c23134fa4bc08c
Submitter: "Zuul (22348)"
Branch: stable/xena

commit afe3ba73ea1b2c3c244050d672c23134fa4bc08c
Author: Andrew Karpow <email address hidden>
Date: Fri Apr 8 18:32:03 2022 +0200

    Force security_group_id uuid validation of sg rules

    security_groups_db._check_security_group is supposed to check the
    security_group_id of the _create_security_group_rule payload.
    When using an integer e.g. 0, as security_group_id, the check
    succededs because mysql accepts following query:

    SELECT * FROM securitygroups WHERE id in (0)

    Forcing validation of security_group_id as uuid fixes the problem

    Closes-Bug: #1968343
    Change-Id: I7c36b09309c1ef66608afacfb281b6f4b06ea5b8
    (cherry picked from commit c0bf560fa36aac798ad8783749fa78ddf766bdec)

tags: added: in-stable-xena
tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/837330
Committed: https://opendev.org/openstack/neutron/commit/5598510c80b4accb97ed7fc62f63ee400e4237ec
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 5598510c80b4accb97ed7fc62f63ee400e4237ec
Author: Andrew Karpow <email address hidden>
Date: Fri Apr 8 18:32:03 2022 +0200

    Force security_group_id uuid validation of sg rules

    security_groups_db._check_security_group is supposed to check the
    security_group_id of the _create_security_group_rule payload.
    When using an integer e.g. 0, as security_group_id, the check
    succededs because mysql accepts following query:

    SELECT * FROM securitygroups WHERE id in (0)

    Forcing validation of security_group_id as uuid fixes the problem

    Closes-Bug: #1968343
    Change-Id: I7c36b09309c1ef66608afacfb281b6f4b06ea5b8
    (cherry picked from commit c0bf560fa36aac798ad8783749fa78ddf766bdec)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/837332
Committed: https://opendev.org/openstack/neutron/commit/f13ab9c0c76e6a90464b249e15db50f4a531ca52
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit f13ab9c0c76e6a90464b249e15db50f4a531ca52
Author: Andrew Karpow <email address hidden>
Date: Fri Apr 8 18:32:03 2022 +0200

    Force security_group_id uuid validation of sg rules

    security_groups_db._check_security_group is supposed to check the
    security_group_id of the _create_security_group_rule payload.
    When using an integer e.g. 0, as security_group_id, the check
    succededs because mysql accepts following query:

    SELECT * FROM securitygroups WHERE id in (0)

    Forcing validation of security_group_id as uuid fixes the problem

    Closes-Bug: #1968343
    Change-Id: I7c36b09309c1ef66608afacfb281b6f4b06ea5b8
    (cherry picked from commit c0bf560fa36aac798ad8783749fa78ddf766bdec)

tags: added: in-stable-victoria
tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/837333
Committed: https://opendev.org/openstack/neutron/commit/d1cc994da52a4ef2fc9d336148e1f61d7920c16c
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit d1cc994da52a4ef2fc9d336148e1f61d7920c16c
Author: Andrew Karpow <email address hidden>
Date: Fri Apr 8 18:32:03 2022 +0200

    Force security_group_id uuid validation of sg rules

    security_groups_db._check_security_group is supposed to check the
    security_group_id of the _create_security_group_rule payload.
    When using an integer e.g. 0, as security_group_id, the check
    succededs because mysql accepts following query:

    SELECT * FROM securitygroups WHERE id in (0)

    Forcing validation of security_group_id as uuid fixes the problem

    Closes-Bug: #1968343
    Change-Id: I7c36b09309c1ef66608afacfb281b6f4b06ea5b8
    (cherry picked from commit c0bf560fa36aac798ad8783749fa78ddf766bdec)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/837308
Committed: https://opendev.org/openstack/neutron/commit/e887386aa1e560562b0e3b0d1049887b2f1f1870
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit e887386aa1e560562b0e3b0d1049887b2f1f1870
Author: Andrew Karpow <email address hidden>
Date: Fri Apr 8 18:32:03 2022 +0200

    Force security_group_id uuid validation of sg rules

    security_groups_db._check_security_group is supposed to check the
    security_group_id of the _create_security_group_rule payload.
    When using an integer e.g. 0, as security_group_id, the check
    succededs because mysql accepts following query:

    SELECT * FROM securitygroups WHERE id in (0)

    Forcing validation of security_group_id as uuid fixes the problem

    Closes-Bug: #1968343
    Change-Id: I7c36b09309c1ef66608afacfb281b6f4b06ea5b8
    (cherry picked from commit c0bf560fa36aac798ad8783749fa78ddf766bdec)

tags: added: in-stable-yoga
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 17.4.0

This issue was fixed in the openstack/neutron 17.4.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 18.3.0

This issue was fixed in the openstack/neutron 18.3.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 19.2.0

This issue was fixed in the openstack/neutron 19.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/train)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/837334
Committed: https://opendev.org/openstack/neutron/commit/f5fa74c5c6926eb46403f6b0b5e0bd81a90cf234
Submitter: "Zuul (22348)"
Branch: stable/train

commit f5fa74c5c6926eb46403f6b0b5e0bd81a90cf234
Author: Andrew Karpow <email address hidden>
Date: Fri Apr 8 18:32:03 2022 +0200

    Force security_group_id uuid validation of sg rules

    security_groups_db._check_security_group is supposed to check the
    security_group_id of the _create_security_group_rule payload.
    When using an integer e.g. 0, as security_group_id, the check
    succededs because mysql accepts following query:

    SELECT * FROM securitygroups WHERE id in (0)

    Forcing validation of security_group_id as uuid fixes the problem

    Closes-Bug: #1968343
    Change-Id: I7c36b09309c1ef66608afacfb281b6f4b06ea5b8
    (cherry picked from commit c0bf560fa36aac798ad8783749fa78ddf766bdec)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 20.1.0

This issue was fixed in the openstack/neutron 20.1.0 release.

Revision history for this message
Slawek Kaplonski (slaweq) wrote : auto-abandon-script

This bug has had a related patch abandoned and has been automatically un-assigned due to inactivity. Please re-assign yourself if you are continuing work or adjust the state as appropriate if it is no longer valid.

Changed in neutron:
assignee: Andrew Karpow (andyonce) → nobody
tags: added: timeout-abandon
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by "Slawek Kaplonski <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/837146
Reason: This review is > 4 weeks without comment, and failed Zuul jobs the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 21.0.0.0rc1

This issue was fixed in the openstack/neutron 21.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron train-eol

This issue was fixed in the openstack/neutron train-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron ussuri-eol

This issue was fixed in the openstack/neutron ussuri-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.