OpenStack Dashboard (Horizon)

Horizon exposes url in Swift error message

Bug #1794767 reported by Vadym Markov on 2018-09-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Fix Released	Undecided	Vadym Markov

Bug Description

Horizon can be made to expose internal data structures from HTTP requests, this a security hazard.

See for example:

GET /api/swift/containers/test01s/metadata/nonexistantFile.txt HTTP/1.1
Host: example.com
...

Response:

HTTP/1.1 404 Not Found
Date: Tue, 11 Sep 2018 19:30:11 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 98
Vary: Accept-Language,Cookie
X-Frame-Options: SAMEORIGIN
Content-Language: en
Content-Type: application/json

"Object HEAD failed: http://123.456.789.012:8080/swift/v1/test01s/nonexistantFile.txt 404 Not Found"

---------

Note, the Object Store endpoint configured on the /project/api_access page as "http://example.com:8080/swift/v1", so exposing the internal url is incorrect.

It should return smth like:
"Object HEAD failed: http://example.com:8080/swift/v1/test01s/nonexistantFile.txt 404 Not Found" , or just hide url at all

To reproduce:
1. Log into Horizon with Firefox
2. Open up Web Developer Tools
3. Navigate to Project -> Object Store -> Containers
4. pick a GET from the Network tab in developer tool that is for /api/swift/containers, copy it as cUrl and append "test01s/metadata/nonexistantFile.txt" onto the end of the URL.

Note you need to do this quickly otherwise the auth token will expire. If that happens just refresh page and edit request quickly.
5. Observe url present in response

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-09-27: Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/605731

Changed in horizon:
assignee:	nobody → Vadym Markov (vmarkov)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-02: Fix merged to horizon (master)

Reviewed: https://review.openstack.org/605731
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=4d6a1b327a033b5252317a9e35b664f2155cc2a2
Submitter: Zuul
Branch: master

commit 4d6a1b327a033b5252317a9e35b664f2155cc2a2
Author: BubaVV <email address hidden>
Date: Thu Sep 27 16:58:58 2018 +0300

Hide Swift network info in Horizon error message

    In case of error Swift API return some details about unsuccessful
    request, i.e. internal IP, full object pass, etc. This response is not
    processed by Horizon and presented to user as-is, which is potentially
    insecure. Proposed patch adds error processing striping network location
    from error message

Change-Id: Ieef9669a1be3ed7bbc685a457eb1fe86b34c3c7e
Closes-bug: #1794767

Changed in horizon:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-25: Fix included in openstack/horizon 15.0.0.0b1

This issue was fixed in the openstack/horizon 15.0.0.0b1 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.