commit 8ee7638a860c48785d94bfda8d336b6239da5013
Author: Jay Faulkner <email address hidden>
Date: Thu Aug 10 11:28:32 2023 -0700
Only allow safe context fields in notifications
Publishing a fully hydrated context object in a notification would give
someone with access to that notification the ability to impersonate the
original actor through inclusion of sensitive fields.
Now, instead, we pare down the context object to the bare minimum before
passing it for serialization in notification workflows.
Closes-bug: 2030976
Change-Id: Ic94323658c89df1c1ff32f511ca23502317d0f00
(cherry picked from commit 1b315615e7dc61dbf845bd663560fc8d5a18fa09)
Reviewed: https:/ /review. opendev. org/c/openstack /oslo.messaging /+/891744 /opendev. org/openstack/ oslo.messaging/ commit/ 8ee7638a860c487 85d94bfda8d336b 6239da5013
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/yoga
commit 8ee7638a860c487 85d94bfda8d336b 6239da5013
Author: Jay Faulkner <email address hidden>
Date: Thu Aug 10 11:28:32 2023 -0700
Only allow safe context fields in notifications
Publishing a fully hydrated context object in a notification would give
someone with access to that notification the ability to impersonate the
original actor through inclusion of sensitive fields.
Now, instead, we pare down the context object to the bare minimum before
passing it for serialization in notification workflows.
Closes-bug: 2030976 1c1ff32f511ca23 502317d0f00 bf845bd663560fc 8d5a18fa09)
Change-Id: Ic94323658c89df
(cherry picked from commit 1b315615e7dc61d