Adding image member throws 500 when the member name is longer than 255 characters

You forgot to include a description of how you would expect an attacker to exploit this bug, since you have marked it as a suspected security vulnerability. Or did you set this bug to private security in error?

@Jeremy : I'd asked him to file this as potential security bug.

The reason and attack scenario is as follows:

When a user makes a call of this sort, it is a straightforward case when the 500s are expected hence, easily reproducible. My thinking is that if we let a user make such easy 500 calls, it may very easily be exploited to use as many API threads without having to worry about quota/policies. A deployment without strong rate-limiting would face challenge for such case.

It's not strong case for private security however, we initiated the conversation here to be on the safer side.

Thanks.

Jeremy, yeah, sorry, my bad for forgetting to include the description.
Since this operation causes the API to respond with 500, which counts against API availability, repeated requests will reduce API availability and hence act like DoS attack.

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

I guess what I'm still missing in this report is the expected outcome. Should Glance return some other error on a too-long member name? Should Glance subject API calls resulting in 500 errors to policy/quota enforcement? Something else? That will certainly help in clarifying the impact statement if we end up issuing an advisory for this.

I'd say the expected outcome should be a 400. This is something that is bound to fail with every request that has a long member name since we don't have appropriate validations and/or error handling. So, 400 should be the expected outcome in my opinion.

I'm not convinced that triggering 500 to make log monitoring tools reduce "API availability" statistics could be leveraged as part of an attack. The API is not really unavailable, it's just that some tools relying on 500 error counts might report an erroneous state.

Now spurious 500 should be fixed and return 4xx where appropriate, but I don't think that should trigger a security advisory. Also API return code changes are generally non backportable, so a master fix only.

I agree with ttx here, let's open this next Thursday if no objections

No objection, opening as promised.
Closing OSSA task due to Class D

Fix proposed to branch: master
Review: https://review.openstack.org/175415

Any one has other solution to fix this bug ?

Marking as Won't Fix as registry is now removed from glance code base.