OpenStack Dashboard (Horizon)

  1. Bug #1606500
  2. Comment #13

Comment 13 for bug 1606500

Revision history for this message
Daniel Gonzalez Nothnagel (dgonzalez) wrote : Re: Heat: template source URL allows network port scan

This problem originates in the template validate method of the heat API: http://developer.openstack.org/api-ref/orchestration/v1/?expanded=validate-template-detail

If the method is called with '{"template_url": "http://localhost:22"}' the same issue as raised by Tom appears, as you can see in the following curl command:

curl -H "Content-Type: application/json" -H "X-Auth-Token: 591b637a85af47c0bd406cc7db9c3cb1" -X POST -d '{"template_url": "http://localhost:22"}' http://127.0.0.1:8004/v1/3659e5effe5a473f9dd579dd8bbeca9f/validate
{"explanation": "The server could not comply with the request since it is either malformed or otherwise incorrect.", "code": 400, "error": {"message": "Could not retrieve template: Failed to retrieve template: ('Connection aborted.', BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))", "traceback": " File \"/opt/stack/heat/heat/common/wsgi.py\", line 842, in __call__\n request, **action_args)\n File \"/opt/stack/heat/heat/common/wsgi.py\", line 916, in dispatch\n return method(*args, **kwargs)\n File \"/opt/stack/heat/heat/api/openstack/v1/util.py\", line 38, in handle_stack_method\n return handler(controller, req, **kwargs)\n File \"/opt/stack/heat/heat/api/openstack/v1/stacks.py\", line 610, in validate_template\n data.template(),\n File \"/opt/stack/heat/heat/api/openstack/v1/stacks.py\", line 122, in template\n raise exc.HTTPBadRequest(err_reason)\n", "type": "HTTPBadRequest"}, "title": "Bad Request"}

This does not only happen with liberty, but also with newer releases and the current master version.
You can't see this issue in newer version of horizon, because they changed the behaviour from calling the validate method with 'template_url' to fetching the template themselves from the given url and then calling the validate method with 'template'.

So "ERROR: Could not retrieve template: Failed to retrieve template: ('Connection aborted.', BadStatusLine('SSH-2.0-OpenSSH_6.6.1\r\n',))" is the error message issued by the heat-api, whereas "[Errno 104] Connection reset by peer" is the error message issued by the client and newer versions of horizon.

As I see it, the easiest way to fix this would be to change the error message in https://github.com/openstack/heat/blob/master/heat/common/urlfetch.py#L54 to not include the error message from the URLError. So instead of raising URLFetchError(_('Failed to retrieve template: %s') % sex) it should just raise URLFetchError(_('Failed to retrieve template')).

TL;DR The problem lies in the heat API, not in horizon. Easiest way to fix this would be to suppress the exact error message in heat.