Fuel for OpenStack

No validation for FQDNs in Racks

Bug #1567117 reported by Igor Shishkin on 2016-04-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	Fix Committed	Low	Alexander Lomski	Fuel for OpenStack 10.0

Bug Description

Hello,

While inventory object is gonna be created through form in WebUI we have no validation for it's name(i.e. FQDN).
Please add such validation(according to https://tools.ietf.org/html/rfc1123) on both of fronted and backend sides.

New inventory object(error 404)
1) http://snag.gy/nCJch.jpg
2) http://snag.gy/sott7.jpg
3) http://snag.gy/V5LqC.jpg
4) http://snag.gy/FS1RY.jpg
Actual result: error 404
5) http://snag.gy/5BxiU.jpg
But the entry was created
6)http://snag.gy/2PyJG.jpg

High since it could potentially cause SQL inj.

Thanks in advance.

Tags:

Revision history for this message

Alexander Charykov (acharykov) wrote on 2016-04-07:

It would not execute "SQL inj". Mark as low, because it is name, not hostname. But we really need to rename field and add validation.

Changed in fuel:
importance:	High → Low
status:	New → Confirmed

Revision history for this message

Igor Shishkin (teran) wrote on 2016-04-07:

@Alexander, why do you think it wouldn't execute SQL Inj?

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-06-30: Fix proposed to fuel-infra/packages/python-django-racks (master)

Fix proposed to branch: master
Change author: Alexander Lomski <email address hidden>
Review: https://review.fuel-infra.org/22747

Changed in fuel:
status:	Confirmed → In Progress

Alexander Lomski (aliaksandr-lomski) on 2016-06-30

Changed in fuel:
assignee:	Fuel Infra Apps (fuel-infra-apps) → Alexander Lomski (aliaksandr-lomski)

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-07-06: Fix merged to fuel-infra/packages/python-django-racks (master)

Reviewed: https://review.fuel-infra.org/22747
Submitter: Alexander Charykov <email address hidden>
Branch: master

Commit: 2c0d4f831d9712a1098099ec8918f63f38818fbf
Author: Alexander Lomski <email address hidden>
Date: Wed Jul 6 11:04:51 2016

Validate inventory object name as FQDN

Inventory object name has been renamed to "Hostname" in forms and is now
validated to be a FQDN (fully qualified domain name) if present.

UI and API tests updated.

Closes-Bug: #1567117
Change-Id: I85904094c4e7b522518e30f746eb13daae42debf

Changed in fuel:
status:	In Progress → Fix Committed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.