Magnum

Implement secure deserialize function

Bug #1459717 reported by Adrian Otto
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Magnum
Fix Released
Critical
Steven Dake

Bug Description

The deserialize function that swagger uses includes the usage of eval. It is posible to completely destroy a system using eval,
so eval usage is not recommended. Our bandit non-voting gate will reject eval usage. stackoverflow recommends using
ast.literal_eval, but we must create python objects in some casess, with ast.literal_eval will not do. Instead write a new
implementation of deserialize which is secure.

Revision history for this message
Steven Dake (sdake) wrote :

The python k8s library is busted without fixing this - changing importance to high.

Changed in magnum:
assignee: stephen dake (steve-dake) → Steven Dake (sdake)
importance: Wishlist → High
status: Triaged → Confirmed
OpenStack Infra (hudson-openstack)
Changed in magnum:
status: Confirmed → In Progress
Revision history for this message
Steven Dake (sdake) wrote :

This will require a backport when it has been verified.

Changed in magnum:
importance: High → Critical
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to magnum (master)

Reviewed: https://review.openstack.org/186662
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=ea1ca0d7f3f25e4b715b1771f08a0d9c5a19dfa0
Submitter: Jenkins
Branch: master

commit ea1ca0d7f3f25e4b715b1771f08a0d9c5a19dfa0
Author: Madhuri Kumari <email address hidden>
Date: Fri May 29 12:35:56 2015 +0530

    Fixing import error in kubernetes client code

    Change-Id: I21981b99f00ebe3eb027aba9fabd21c763129e39
    Partial-Bug: #1459717

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on magnum (master)

Change abandoned by Adrian Otto (<email address hidden>) on branch: master
Review: https://review.openstack.org/186287
Reason: Items in our work queue should be actionable unless they are marked as WIP with recent revisions. Because this review is not currently actionable, I am marking it as abandoned.

There have been no revisions on this patch since 2015-06-02. If there is further interest in refining this work, you are welcome to un-abandon this, and post revisions or additional comments for discussion. Thanks!

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to magnum (master)

Reviewed: https://review.openstack.org/222436
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=ff9fce4aff9a465a867c4b26f1e7d7b15dbcb763
Submitter: Jenkins
Branch: master

commit ff9fce4aff9a465a867c4b26f1e7d7b15dbcb763
Author: Hua Wang <email address hidden>
Date: Fri Sep 11 10:00:44 2015 +0800

    Avoid to use eval in pythonk8sclient

    The deserialize function that swagger uses includes the usage of
    eval. It is posible to completely destroy a system using eval, so
    eval usage is removed in this patch. This fixes the failure of bandit
    non-voting gate.

    http://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html

    Change-Id: Id13ea30d07a66d9a812677840c29c48662f43f6f
    Closes-Bug: #1459717

Changed in magnum:
status: In Progress → Fix Committed
Adrian Otto (aotto)
Changed in magnum:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.