YaqlYamlLoader inherits from YamlLoader

Bug #1586079 reported by Kirill Zaitsev on 2016-05-26
270
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Murano
Critical
Kirill Zaitsev
Kilo
Critical
Unassigned
Liberty
Critical
Kirill Zaitsev
Mitaka
Critical
Kirill Zaitsev
Newton
Critical
Kirill Zaitsev

Bug Description

YaqlYamlLoader inherits from YamlLoader, meaning that it is possible to use extended unsafe tags in yaml files http://pyyaml.org/wiki/PyYAMLDocumentation#YAMLtagsandPythontypes

Both dashboard, engine/api seem to be vulnerable.

CVE References

description: updated
Kirill Zaitsev (kzaitsev) wrote :

Patch for the murano-dashboard

Kirill Zaitsev (kzaitsev) wrote :
Kirill Zaitsev (kzaitsev) wrote :

Confirmed for dashboard for mitaka, liberty and kilo

Kirill Zaitsev (kzaitsev) wrote :
Kirill Zaitsev (kzaitsev) wrote :
Kirill Zaitsev (kzaitsev) wrote :

Note that kilo isn't security supported anymore as it is eol. Otherwise the change looks good to me.

Kirill Zaitsev (kzaitsev) wrote :

> Note that kilo isn't security supported anymore as it is eol. Otherwise the change looks good to me.

Indeed, seems that we in murano missed EOL for kilo, gotta catch up with that. Also — http://releases.openstack.org needs to be updated as it still says, that kilo is security supported.

Kirill Zaitsev (kzaitsev) wrote :

Patches seem to work for me, but I would like to see reviews from other Cores of the project, preferably from Stan Lagun, to verify, that these patches do not accidentally break existing functionality

Kirill Zaitsev (kzaitsev) wrote :

Stan pointed out, that we should also inherit from SafeConstructor instead of Coustructor, gotta add that to the patches to murano repository

Kirill Zaitsev (kzaitsev) wrote :
Kirill Zaitsev (kzaitsev) wrote :
Kirill Zaitsev (kzaitsev) wrote :
Kirill Zaitsev (kzaitsev) wrote :
Stan Lagun (slagun) wrote :

Looks good to me

Changed in murano:
milestone: newton-1 → newton-2
information type: Private Security → Public Security

Reviewed: https://review.openstack.org/333428
Committed: https://git.openstack.org/cgit/openstack/murano-dashboard/commit/?id=66ef3d71941c4bd672d1e8e37d8f7b199acd5462
Submitter: Jenkins
Branch: master

commit 66ef3d71941c4bd672d1e8e37d8f7b199acd5462
Author: Kirill Zaitsev <email address hidden>
Date: Fri May 27 00:11:28 2016 +0300

    Inherit custom yaml Loader from yaml.SafeLoader

    Before this patch yaql-enabled yaml Loader was inherited from yaml.Loader, that
    potentially allows creating arbitrary python objects from specifically
    formatted yaml tags. This could have happened whenever UI definitions of
    the package were processed.
    With this change yaql yaml-Loader no longer allows creating custom python objects.

    Change-Id: I4fe38aa7e0fc567211ab872c7e1f8e81dbc3e765
    Closes-Bug: #1586079

Changed in murano:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/333423
Committed: https://git.openstack.org/cgit/openstack/murano/commit/?id=28de8c36c9dbe4aaf4d062e6fb6099afd437f49b
Submitter: Jenkins
Branch: master

commit 28de8c36c9dbe4aaf4d062e6fb6099afd437f49b
Author: Kirill Zaitsev <email address hidden>
Date: Fri May 27 00:42:38 2016 +0300

    Use SafeLoader to load yaml files

    Before this patch yaml.Loader was used by the engine to create custom
    yaql-enabled yaml loader. It is unsafe do to so, because yaml.Loader is
    capable of creating custom python objects from specifically constructed
    yaml files.
    After this patch all yaml load operations are performed with safe
    loaders instead.
    Also uses SafeConstructor instead of Constructor.

    Change-Id: I61a3c42d73608b5d013285f015a45f4774d264e3
    Closes-Bug: #1586079

Reviewed: https://review.openstack.org/333424
Committed: https://git.openstack.org/cgit/openstack/murano/commit/?id=b03c4759aa40d66bd4fcf62c96e352c117bdf4b9
Submitter: Jenkins
Branch: stable/mitaka

commit b03c4759aa40d66bd4fcf62c96e352c117bdf4b9
Author: Kirill Zaitsev <email address hidden>
Date: Fri May 27 00:42:38 2016 +0300

    Use SafeLoader to load yaml files

    Before this patch yaml.Loader was used by the engine to create custom
    yaql-enabled yaml loader. It is unsafe do to so, because yaml.Loader is
    capable of creating custom python objects from specifically constructed
    yaml files.
    After this patch all yaml load operations are performed with safe
    loaders instead.
    Also use SafeConstructor instead of Constructor.

    Change-Id: I61a3c42d73608b5d013285f015a45f4774d264e3
    Closes-Bug: #1586079

Reviewed: https://review.openstack.org/333425
Committed: https://git.openstack.org/cgit/openstack/murano/commit/?id=355513fe2e8c929f783de1109bee76c340cedced
Submitter: Jenkins
Branch: stable/liberty

commit 355513fe2e8c929f783de1109bee76c340cedced
Author: Kirill Zaitsev <email address hidden>
Date: Fri May 27 00:42:38 2016 +0300

    Use SafeLoader to load yaml files

    Before this patch yaml.Loader was used by the engine to create custom
    yaql-enabled yaml loader. It is unsafe do to so, because yaml.Loader is
    capable of creating custom python objects from specifically constructed
    yaml files.
    After this patch all yaml load operations are performed with safe
    loaders instead.
    Also use SafeConstructor instead of Constructor.

    Change-Id: I61a3c42d73608b5d013285f015a45f4774d264e3
    Closes-Bug: #1586079

Reviewed: https://review.openstack.org/333439
Committed: https://git.openstack.org/cgit/openstack/murano-dashboard/commit/?id=338989020cfd2f4b16a71f7da9a788d668502c9e
Submitter: Jenkins
Branch: stable/mitaka

commit 338989020cfd2f4b16a71f7da9a788d668502c9e
Author: Kirill Zaitsev <email address hidden>
Date: Fri May 27 00:11:28 2016 +0300

    Inherit custom yaml Loader from yaml.SafeLoader

    Before this patch yaql-enabled yaml Loader was inherited from yaml.Loader, that
    potentially allows creating arbitrary python objects from specifically
    formatted yaml tags. This could have happened whenever UI definitions of
    the package were processed.
    With this change yaql yaml-Loader no longer allows creating custom python objects.

    Change-Id: I4fe38aa7e0fc567211ab872c7e1f8e81dbc3e765
    Closes-Bug: #1586079

Reviewed: https://review.openstack.org/333432
Committed: https://git.openstack.org/cgit/openstack/murano-dashboard/commit/?id=0f3745415ab4f083cbf069a9cb574168e499a386
Submitter: Jenkins
Branch: stable/liberty

commit 0f3745415ab4f083cbf069a9cb574168e499a386
Author: Kirill Zaitsev <email address hidden>
Date: Fri May 27 00:11:28 2016 +0300

    Inherit custom yaml Loader from yaml.SafeLoader

    Before this patch yaql-enabled yaml Loader was inherited from yaml.Loader, that
    potentially allows creating arbitrary python objects from specifically
    formatted yaml tags. This could have happened whenever UI definitions of
    the package were processed.
    With this change yaql yaml-Loader no longer allows creating custom python objects.

    Change-Id: I4fe38aa7e0fc567211ab872c7e1f8e81dbc3e765
    Closes-Bug: #1586079

description: updated

This issue was fixed in the openstack/murano-dashboard 2.0.1 release.

This issue was fixed in the openstack/murano 2.0.1 release.

This issue was fixed in the openstack/murano-dashboard 1.0.3 release.

This issue was fixed in the openstack/murano 1.0.3 release.

This issue was fixed in the openstack/murano 3.0.0.0b2 development milestone.

This issue was fixed in the openstack/murano-dashboard 3.0.0.0b2 development milestone.

This issue was fixed in the openstack/murano-dashboard 1.0.3 release.

This issue was fixed in the openstack/murano 1.0.3 release.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers