Cinder

Cinder Eqlx driver fails to SSHInjectionThreat

Bug #1280409 reported by Toni Peltonen on 2014-02-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	Fix Released	Undecided	J M Jacob	Cinder 2014.1 "icehouse"

Bug Description

Cinder's Equallogic driver fails to create any volumes because /usr/lib/python2.6/site-packages/cinder/utils.py check_ssh_injection treats spaces as bad things. Tested with latest RDO Havana release.

2014-02-14 14:16:35.386 12786 ERROR cinder.openstack.common.rpc.common [req-b7476613-4e55-4407-be61-738081c20040 d9ac62582e7f4d4ab19a8df75bc8c06d bdf89879d78f4d278e8aad9f88cfb92e] ['Traceback (most recent call last):\n', ' File "/usr/lib/python2.6/site-packages/cinder/openstack/common/rpc/amqp.py", line 441, in _process_data\n **args)\n', ' File "/usr/lib/python2.6/site-packages/cinder/openstack/common/rpc/dispatcher.py", line 148, in dispatch\n return getattr(proxyobj, method)(ctxt, **kwargs)\n', ' File "/usr/lib/python2.6/site-packages/cinder/utils.py", line 819, in wrapper\n return func(self, *args, **kwargs)\n', ' File "/usr/lib/python2.6/site-packages/cinder/volume/manager.py", line 624, in initialize_connection\n conn_info = self.driver.initialize_connection(volume, connector)\n', ' File "/usr/lib/python2.6/site-packages/cinder/volume/drivers/eqlx.py", line 406, in initialize_connection\n volume[\'name\'])\n', ' File "/usr/lib64/python2.6/contextlib.py", line 23, in __exit__\n self.gen.next()\n', ' File "/usr/lib/python2.6/site-packages/cinder/volume/drivers/eqlx.py", line 397, in initialize_connection\n self._eql_execute(*cmd)\n', ' File "/usr/lib/python2.6/site-packages/cinder/volume/drivers/eqlx.py", line 219, in _eql_execute\n args, attempts=self.configuration.eqlx_cli_max_retries)\n', ' File "/usr/lib/python2.6/site-packages/cinder/volume/drivers/eqlx.py", line 177, in _run_ssh\n utils.check_ssh_injection(cmd_list)\n', ' File "/usr/lib/python2.6/site-packages/cinder/utils.py", line 166, in check_ssh_injection\n raise exception.SSHInjectionThreat(command=str(cmd_list))\n', "SSHInjectionThreat: SSH command injection detected: ('volume', 'select', u'volume-3045438e-096a-4838-a769-ec39692fa41f', 'access', 'create', 'initiator', u'iqn.1994-05.com.redhat:249bde2d589', 'authmethod chap', 'username', 'cinder')\n"]
2014-02-14 14:16:38.308 12786 INFO cinder.volume.manager [req-2d51da59-6aba-4212-a9a2-61864fe18cf3 None None] Updating volume status
2014-02-14 14:16:39.470 12786 ERROR cinder.volume.drivers.eqlx [req-a73e9c7c-e8ed-4dd1-a9f4-f6897b52f996 d9ac62582e7f4d4ab19a8df75bc8c06d bdf89879d78f4d278e8aad9f88cfb92e] Failed to initialize connection to volume volume-3045438e-096a-4838-a769-ec39692fa41f
2014-02-14 14:16:39.470 12786 ERROR cinder.openstack.common.rpc.amqp [req-a73e9c7c-e8ed-4dd1-a9f4-f6897b52f996 d9ac62582e7f4d4ab19a8df75bc8c06d bdf89879d78f4d278e8aad9f88cfb92e] Exception during message handling
2014-02-14 14:16:39.470 12786 TRACE cinder.openstack.common.rpc.amqp Traceback (most recent call last):
2014-02-14 14:16:39.470 12786 TRACE cinder.openstack.common.rpc.amqp File "/usr/lib/python2.6/site-packages/cinder/openstack/common/rpc/amqp.py", line 441, in _process_data
2014-02-14 14:16:39.470 12786 TRACE cinder.openstack.common.rpc.amqp **args)
2014-02-14 14:16:39.470 12786 TRACE cinder.openstack.common.rpc.amqp File "/usr/lib/python2.6/site-packages/cinder/openstack/common/rpc/dispatcher.py", line 148, in dispatch
2014-02-14 14:16:39.470 12786 TRACE cinder.openstack.common.rpc.amqp return getattr(proxyobj, method)(ctxt, **kwargs)
2014-02-14 14:16:39.470 12786 TRACE cinder.openstack.common.rpc.amqp File "/usr/lib/python2.6/site-packages/cinder/utils.py", line 819, in wrapper
2014-02-14 14:16:39.470 12786 TRACE cinder.openstack.common.rpc.amqp return func(self, *args, **kwargs)
2014-02-14 14:16:39.470 12786 TRACE cinder.openstack.common.rpc.amqp File "/usr/lib/python2.6/site-packages/cinder/volume/manager.py", line 624, in initialize_connection
2014-02-14 14:16:39.470 12786 TRACE cinder.openstack.common.rpc.amqp conn_info = self.driver.initialize_connection(volume, connector)
2014-02-14 14:16:39.470 12786 TRACE cinder.openstack.common.rpc.amqp File "/usr/lib/python2.6/site-packages/cinder/volume/drivers/eqlx.py", line 406, in initialize_connection
2014-02-14 14:16:39.470 12786 TRACE cinder.openstack.common.rpc.amqp volume['name'])
2014-02-14 14:16:39.470 12786 TRACE cinder.openstack.common.rpc.amqp File "/usr/lib64/python2.6/contextlib.py", line 23, in __exit__
2014-02-14 14:16:39.470 12786 TRACE cinder.openstack.common.rpc.amqp self.gen.next()
2014-02-14 14:16:39.470 12786 TRACE cinder.openstack.common.rpc.amqp File "/usr/lib/python2.6/site-packages/cinder/volume/drivers/eqlx.py", line 397, in initialize_connection
2014-02-14 14:16:39.470 12786 TRACE cinder.openstack.common.rpc.amqp self._eql_execute(*cmd)
2014-02-14 14:16:39.470 12786 TRACE cinder.openstack.common.rpc.amqp File "/usr/lib/python2.6/site-packages/cinder/volume/drivers/eqlx.py", line 219, in _eql_execute
2014-02-14 14:16:39.470 12786 TRACE cinder.openstack.common.rpc.amqp args, attempts=self.configuration.eqlx_cli_max_retries)
2014-02-14 14:16:39.470 12786 TRACE cinder.openstack.common.rpc.amqp File "/usr/lib/python2.6/site-packages/cinder/volume/drivers/eqlx.py", line 177, in _run_ssh
2014-02-14 14:16:39.470 12786 TRACE cinder.openstack.common.rpc.amqp utils.check_ssh_injection(cmd_list)
2014-02-14 14:16:39.470 12786 TRACE cinder.openstack.common.rpc.amqp File "/usr/lib/python2.6/site-packages/cinder/utils.py", line 166, in check_ssh_injection
2014-02-14 14:16:39.470 12786 TRACE cinder.openstack.common.rpc.amqp raise exception.SSHInjectionThreat(command=str(cmd_list))
2014-02-14 14:16:39.470 12786 TRACE cinder.openstack.common.rpc.amqp SSHInjectionThreat: SSH command injection detected: ('volume', 'select', u'volume-3045438e-096a-4838-a769-ec39692fa41f', 'access', 'create', 'initiator', u'iqn.1994-05.com.redhat:249bde2d589', 'authmethod chap', 'username', 'cinder')

Reason and fix for this is simple:

Line 395 @ /usr/lib/python2.6/site-packages/cinder/volume/drivers/eqlx.py:

cmd.extend(['authmethod chap', 'username',

When it should be (to pass the current requirements at /usr/lib/python2.6/site-packages/cinder/utils.py's check_ssh_injection):

cmd.extend(['authmethod', 'chap', 'username',

Tags:

Revision history for this message

Toni Peltonen (peltzi-y) wrote on 2014-02-14:

This accidently went to openstack-manuals, it was supposed to go to cinder...

affects:

openstack-manuals → cinder

Revision history for this message

Toni Peltonen (peltzi-y) wrote on 2014-02-14:

My concern here is that is this one-time fix ok or are there more drivers where this check for non quoted spaces might cause problems

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-03-11: Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/79706

Changed in cinder:
assignee:	nobody → J M Jacob (jacob-jacob)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-03-12: Fix merged to cinder (master)

Reviewed: https://review.openstack.org/79706
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=9e858bebb89de05b1c9ecc27f5bd9fbff95a728e
Submitter: Jenkins
Branch: master

commit 9e858bebb89de05b1c9ecc27f5bd9fbff95a728e
Author: Jacob M. Jacob <email address hidden>
Date: Mon Mar 10 17:25:41 2014 -0500

Fixes ssh-injection error while using chap authentication

A space in the command construction was being caught by the
ssh-injection check. The fix is to separate the command strings.

Change-Id: If1f719f9c2ceff31ed5386c53cf60bc7f522f4d7
Closes-Bug: #1280409

Changed in cinder:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-03-27

Changed in cinder:
milestone:	none → icehouse-rc1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-04-17

Changed in cinder:
milestone:	icehouse-rc1 → 2014.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.