Cinder

Possible SQL injection in Windows driver utils

Bug #1370290 reported by Travis McPeak
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Invalid
Undecided
Unassigned
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

On this line: https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/windows/windows_utils.py#L185 , a raw SQL query is being made with an input. This may be vulnerable to SQL injection attacks if a malicious user is able to tamper with 'vhd_path'.

No input sanitization is done, and no safe SQL libraries are being used. Even if this variable is out the control of a malicious user, this is an unsafe programming practice and should be hardened.

If we are absolutely sure that 'vhd_path' can't be tampered with, it's probably OK to fix this in the open.

Jeremy Stanley (fungi)
Changed in ossa:
status: New → Incomplete
Revision history for this message
Thierry Carrez (ttx) wrote :

@Alessandro: your help confirming / invalidating the vulnerability needed here too

Revision history for this message
Alessandro Pilotti (alexpilotti) wrote :

Hi guys,

This is WQL, not SQL. There are no security concerns for this case.

Please see comments in the following bug report:
https://bugs.launchpad.net/nova/+bug/1370295

Revision history for this message
Jeremy Stanley (fungi) wrote :

Switched the bug to public and marked the security advisory task wontfix based on the above explanation.

information type: Private Security → Public
Changed in ossa:
status: Incomplete → Won't Fix
Revision history for this message
Sean McGinnis (sean-mcginnis) wrote : Bug Cleanup

Closing stale bug. If this is still an issue please reopen.

Changed in cinder:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.