SQL Error during update tenant and possibly other calls

Looks like this is just a case of poor input validation (producing a 500 where there should be a 400), and unless it can be demonstrated, I don't see any reason to worry about SQL injection here.

@Nathan: do you have reasons to believe SQL injection is possible here ?

After more testing I don't think it is a problem. I also had the security team look at it and attempt to get information from it.

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Thierry Carrez
Sent: Wednesday, March 19, 2014 3:02 PM
To: Nathan Buckner
Subject: [Bug 1289590] Re: SQL Error during update tenant and possibly other calls

@Nathan: do you have reasons to believe SQL injection is possible here ?

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1289590

Title:
  SQL Error during update tenant and possibly other calls

Status in OpenStack Identity (Keystone):
  Triaged
Status in OpenStack Security Advisories:
  Incomplete

Bug description:
  Attributes in the description cause sql error and 500. Possible injection.
  PUT /v2.0/tenants/1234556 HTTP/1.1
  Host: <not shown>:35357
  X-Auth-Token: <not shown>
  Content-Type: application/xml
  Accept-Encoding: gzip, deflate, compress
  Accept: application/xml
  User-Agent: python-requests/2.2.1 CPython/2.7.4 Linux/3.11.0-17-generic
  Content-Length: 245

  <tenant enabled="false" name="ACME corp" id="1234556">
    <description test=""></description>
  </tenant>

  Response

  HTTP/1.1 500 Internal Server Error
  Vary: X-Auth-Token
  Content-Type: application/xml
  Content-Length: 536
  Date: Fri, 07 Mar 2014 21:16:52 GMT

  <?xml version="1.0" encoding="UTF-8"?>
  <error xmlns="http://docs.openstack.org/identity/api/v2.0" message="An unexpected error prevented the server from fulfilling your request. (ProgrammingError) (1064, 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \': &quot;\'\'&quot;} WHERE project.id = \'1234556\'\' at line 1') 'UPDATE project SET description=%s WHERE project.id = %s' ({u'test': u''}, '1234556')" code="500" title="Internal Server Error"/>

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1289590/+subscriptions

OK, then unless someone complains I'll open this bug publicly and remove the security tag.

sounds good
________________________________________
From: <email address hidden> [<email address hidden>] on behalf of Thierry Carrez [<email address hidden>]
Sent: Thursday, March 20, 2014 5:41 AM
To: Nathan Buckner
Subject: [Bug 1289590] Re: SQL Error during update tenant and possibly other calls

OK, then unless someone complains I'll open this bug publicly and remove
the security tag.

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1289590

Title:
  SQL Error during update tenant and possibly other calls

Status in OpenStack Identity (Keystone):
  Triaged
Status in OpenStack Security Advisories:
  Incomplete

Bug description:
  Attributes in the description cause sql error and 500. Possible injection.
  PUT /v2.0/tenants/1234556 HTTP/1.1
  Host: <not shown>:35357
  X-Auth-Token: <not shown>
  Content-Type: application/xml
  Accept-Encoding: gzip, deflate, compress
  Accept: application/xml
  User-Agent: python-requests/2.2.1 CPython/2.7.4 Linux/3.11.0-17-generic
  Content-Length: 245

  <tenant enabled="false" name="ACME corp" id="1234556">
    <description test=""></description>
  </tenant>

  Response

  HTTP/1.1 500 Internal Server Error
  Vary: X-Auth-Token
  Content-Type: application/xml
  Content-Length: 536
  Date: Fri, 07 Mar 2014 21:16:52 GMT

  <?xml version="1.0" encoding="UTF-8"?>
  <error xmlns="http://docs.openstack.org/identity/api/v2.0" message="An unexpected error prevented the server from fulfilling your request. (ProgrammingError) (1064, 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \': &quot;\'\'&quot;} WHERE project.id = \'1234556\'\' at line 1') 'UPDATE project SET description=%s WHERE project.id = %s' ({u'test': u''}, '1234556')" code="500" title="Internal Server Error"/>

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1289590/+subscriptions

Hi I'm having trouble reproducing this bug

When I try:

$ curl $TOKEN -X PUT localhost:35357/v2.0/tenants/bd90b83b1d5642c49c0f329160ffc4d3 -H 'Content-Type:application/xml' -d '<tenant enabled="false" name="ACME corp" id="1234556">
  <description test=""></description>
</tenant>'

The error response I get:

{
    "error": {
        "code": 400,
        "message": "Expecting to find application/json in Content-Type header - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.",
        "title": "Bad Request"
    }
}

This bug is a year and a half old and was made before XML support was dropped from Keystone.(Kilo 2015.1.0). Thus you can't reproduce it unless you are on an older version of keystone.
________________________________________
From: <email address hidden> <email address hidden> on behalf of Kent Wang <email address hidden>
Sent: Wednesday, November 4, 2015 10:21 AM
To: Nathan Buckner
Subject: [Bug 1289590] Re: SQL Error during update tenant and possibly other calls

Hi I'm having trouble reproducing this bug

When I try:

$ curl $TOKEN -X PUT localhost:35357/v2.0/tenants/bd90b83b1d5642c49c0f329160ffc4d3 -H 'Content-Type:application/xml' -d '<tenant enabled="false" name="ACME corp" id="1234556">
  <description test=""></description>
</tenant>'

The error response I get:

{
    "error": {
        "code": 400,
        "message": "Expecting to find application/json in Content-Type header - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.",
        "title": "Bad Request"
    }
}

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1289590

Title:
  SQL Error during update tenant and possibly other calls

Status in OpenStack Identity (keystone):
  Triaged

Bug description:
  Attributes in the description cause sql error and 500. Possible injection.
  PUT /v2.0/tenants/1234556 HTTP/1.1
  Host: <not shown>:35357
  X-Auth-Token: <not shown>
  Content-Type: application/xml
  Accept-Encoding: gzip, deflate, compress
  Accept: application/xml
  User-Agent: python-requests/2.2.1 CPython/2.7.4 Linux/3.11.0-17-generic
  Content-Length: 245

  <tenant enabled="false" name="ACME corp" id="1234556">
    <description test=""></description>
  </tenant>

  Response

  HTTP/1.1 500 Internal Server Error
  Vary: X-Auth-Token
  Content-Type: application/xml
  Content-Length: 536
  Date: Fri, 07 Mar 2014 21:16:52 GMT

  <?xml version="1.0" encoding="UTF-8"?>
  <error xmlns="http://docs.openstack.org/identity/api/v2.0" message="An unexpected error prevented the server from fulfilling your request. (ProgrammingError) (1064, 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \': &quot;\'\'&quot;} WHERE project.id = \'1234556\'\' at line 1') 'UPDATE project SET description=%s WHERE project.id = %s' ({u'test': u''}, '1234556')" code="500" title="Internal Server Error"/>

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1289590/+subscriptions

I see. Thanks. Is the bug still valid or should we mark it as invalid then?

I'm not sure what versions are considered no longer supported.

From: Kent Wang <email address hidden>
Sent: Nov 9, 2015 12:06 PM
To: Nathan Buckner
Subject: [Bug 1289590] Re: SQL Error during update tenant and possibly other calls

I see. Thanks. Is the bug still valid or should we mark it as invalid
then?

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1289590

Title:
  SQL Error during update tenant and possibly other calls

Status in OpenStack Identity (keystone):
  Triaged

Bug description:
  Attributes in the description cause sql error and 500. Possible injection.
  PUT /v2.0/tenants/1234556 HTTP/1.1
  Host: <not shown>:35357
  X-Auth-Token: <not shown>
  Content-Type: application/xml
  Accept-Encoding: gzip, deflate, compress
  Accept: application/xml
  User-Agent: python-requests/2.2.1 CPython/2.7.4 Linux/3.11.0-17-generic
  Content-Length: 245

  <tenant enabled="false" name="ACME corp" id="1234556">
    <description test=""></description>
  </tenant>

  Response

  HTTP/1.1 500 Internal Server Error
  Vary: X-Auth-Token
  Content-Type: application/xml
  Content-Length: 536
  Date: Fri, 07 Mar 2014 21:16:52 GMT

  <?xml version="1.0" encoding="UTF-8"?>
  <error xmlns="http://docs.openstack.org/identity/api/v2.0" message="An unexpected error prevented the server from fulfilling your request. (ProgrammingError) (1064, 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \': &quot;\'\'&quot;} WHERE project.id = \'1234556\'\' at line 1') 'UPDATE project SET description=%s WHERE project.id = %s' ({u'test': u''}, '1234556')" code="500" title="Internal Server Error"/>

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1289590/+subscriptions

This bug is no longer valid. XML support was removed in Kilo, which is the oldest version we support. Marking as invalid.