create token API is not doing proper input validation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Low
|
Brant Knudson |
Bug Description
HTTP 500 being returned when the request body for POST /v3/auth/tokens has an empty string in place of one of the dicts that should be passed in. This shows that the code is not doing proper input validation. It should detect the user error and return an HTTP 400. Here's an example where project domain is "" instead of {"id": "default"}:
# curl -1 -k -i -X POST https:/
HTTP/1.1 500 Internal Server Error
Date: Tue, 10 May 2016 20:39:53 GMT
Server: Apache
Vary: X-Auth-Token
x-openstack-
Content-Length: 143
Connection: close
Content-Type: application/json
{"error": {"message": "An unexpected error prevented the server from fulfilling your request.", "code": 500, "title": "Internal Server Error"}}
Logs show:
2016-05-10 16:39:53.716 2951 INFO keystone.
2016-05-10 16:39:53.717 2951 ERROR keystone.
2016-05-10 16:39:53.717 2951 ERROR keystone.
2016-05-10 16:39:53.717 2951 ERROR keystone.
2016-05-10 16:39:53.717 2951 ERROR keystone.
2016-05-10 16:39:53.717 2951 ERROR keystone.
2016-05-10 16:39:53.717 2951 ERROR keystone.
2016-05-10 16:39:53.717 2951 ERROR keystone.
2016-05-10 16:39:53.717 2951 ERROR keystone.
2016-05-10 16:39:53.717 2951 ERROR keystone.
2016-05-10 16:39:53.717 2951 ERROR keystone.
2016-05-10 16:39:53.717 2951 ERROR keystone.
2016-05-10 16:39:53.717 2951 ERROR keystone.
2016-05-10 16:39:53.717 2951 ERROR keystone.
2016-05-10 16:39:53.717 2951 ERROR keystone.
2016-05-10 16:39:53.717 2951 ERROR keystone.
2016-05-10 16:39:53.717 2951 ERROR keystone.
2016-05-10 16:39:53.717 2951 ERROR keystone.
Note: you can also get HTTP 500 if you replace other dicts in the request, e.g. {"user": ""}
Changed in keystone: | |
assignee: | nobody → Ryosuke Mizuno (r-mizuno) |
Changed in keystone: | |
assignee: | nobody → Brant Knudson (blk-u) |
We could use a jsonschema here, but it won't be easy - there are quite a few combinations to over.