Reviewed: https://review.openstack.org/393149 Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=abfe2370edf7eda54fb5d7fc022d1e79974c8dfd Submitter: Jenkins Branch: stable/liberty
commit abfe2370edf7eda54fb5d7fc022d1e79974c8dfd Author: Daniel Gonzalez <email address hidden> Date: Mon Oct 17 10:22:42 2016 +0200
Prevent template validate from scanning ports
The template validation method in the heat API allows to specify the template to validate using a URL with the 'template_url' parameter.
By entering invalid http URLs, like 'http://localhost:22' it is possible to scan ports by evaluating the error message of the request.
For example, the request
curl -H "Content-Type: application/json" -H "X-Auth-Token: <TOKEN>" \ -X POST -d '{"template_url": "http://localhost:22"}' \ http://127.0.0.1:8004/v1/<TENANT_ID>/validate
causes the following error message to be returned to the user:
"Could not retrieve template: Failed to retrieve template: ('Connection aborted.', BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))"
This could be misused by tenants to gain knowledge about the internal network the heat API runs in.
To prevent this information leak, this patch alters the error message to not include such details when the url scheme is not 'file'.
SecurityImpact
Closes-Bug: #1606500
Change-Id: Id1f86f41c1e6c028d889eca7ccbb9cde67631950 (cherry picked from commit eab9a33ce760c55695a5beb2e541487588b08c98)
Reviewed: https:/ /review. openstack. org/393149 /git.openstack. org/cgit/ openstack/ heat/commit/ ?id=abfe2370edf 7eda54fb5d7fc02 2d1e79974c8dfd
Committed: https:/
Submitter: Jenkins
Branch: stable/liberty
commit abfe2370edf7eda 54fb5d7fc022d1e 79974c8dfd
Author: Daniel Gonzalez <email address hidden>
Date: Mon Oct 17 10:22:42 2016 +0200
Prevent template validate from scanning ports
The template validation method in the heat API allows to specify the
template to validate using a URL with the 'template_url' parameter.
By entering invalid http URLs, like 'http:// localhost: 22' it is
possible to scan ports by evaluating the error message of the request.
For example, the request
curl -H "Content-Type: application/json" -H "X-Auth-Token: <TOKEN>" \ localhost: 22"}' \ 127.0.0. 1:8004/ v1/<TENANT_ ID>/validate
-X POST -d '{"template_url": "http://
http://
causes the following error message to be returned to the user:
"Could not retrieve template: Failed to retrieve template: ne('SSH- 2.0-OpenSSH_ 7.2p2 Ubuntu- 4ubuntu2. 1\\r\\n' ,))"
('Connection aborted.',
BadStatusLi
This could be misused by tenants to gain knowledge about the internal
network the heat API runs in.
To prevent this information leak, this patch alters the error message
to not include such details when the url scheme is not 'file'.
SecurityImpact
Closes-Bug: #1606500
Change-Id: Id1f86f41c1e6c0 28d889eca7ccbb9 cde67631950 695a5beb2e54148 7588b08c98)
(cherry picked from commit eab9a33ce760c55