commit b60fb70c9faf3b73eb4d8a73cd5cb09f2fa70a61
Author: Dan Smith <email address hidden>
Date: Mon Dec 19 15:00:35 2022 +0000
Enforce image safety during image_conversion
This does two things:
1. It makes us check that the QCOW backing_file is unset on those
types of images. Nova and Cinder do this already to prevent an
arbitrary (and trivial to accomplish) host file exposure exploit.
2. It makes us restrict VMDK files to only allowed subtypes. These
files can name arbitrary files on disk as extents, providing the
same sort of attack. Default that list to just the types we believe
are actually useful for openstack, and which are monolithic.
The configuration option to specify allowed subtypes is added in
glance's config and not in the import options so that we can extend
this check later to image ingest. The format_inspector can tell us
what the type and subtype is, and we could reject those images early
and even in the case where image_conversion is not enabled.
Closes-Bug: #1996188
Change-Id: Idf561f6306cebf756c787d8eefdc452ce44bd5e0
(cherry picked from commit 0d6282a01691cecc2798f7858b181c4bb30f850c)
(cherry picked from commit 4967ab6935cfd0274ae801ac943d01909a236a0a)
(cherry picked from commit dc8e5a5cc7f5e9d1b697e520a7533cc90516db1b)
(cherry picked from commit f45b5f024e765f0000884dfec5ac222124cfbc6d)
(cherry picked from commit 9a98c4a7d1358cdae009cc8fb6377160a126ea7b)
Conflicts: glance/tests/unit/async_/flows/plugins/test_image_conversion.py
- removed code related to missing tests - 050802dd67b9135e04a65d340531157c94248c51
(cherry picked from commit 06e6be579156d8bf2ce8e021d07d6f351fb88c07)
Reviewed: https:/ /review. opendev. org/c/openstack /glance/ +/871626 /opendev. org/openstack/ glance/ commit/ b60fb70c9faf3b7 3eb4d8a73cd5cb0 9f2fa70a61
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/ussuri
commit b60fb70c9faf3b7 3eb4d8a73cd5cb0 9f2fa70a61
Author: Dan Smith <email address hidden>
Date: Mon Dec 19 15:00:35 2022 +0000
Enforce image safety during image_conversion
This does two things:
1. It makes us check that the QCOW backing_file is unset on those
types of images. Nova and Cinder do this already to prevent an
arbitrary (and trivial to accomplish) host file exposure exploit.
2. It makes us restrict VMDK files to only allowed subtypes. These
files can name arbitrary files on disk as extents, providing the
same sort of attack. Default that list to just the types we believe
are actually useful for openstack, and which are monolithic.
The configuration option to specify allowed subtypes is added in
glance's config and not in the import options so that we can extend
this check later to image ingest. The format_inspector can tell us
what the type and subtype is, and we could reject those images early
and even in the case where image_conversion is not enabled.
Closes-Bug: #1996188 756c787d8eefdc4 52ce44bd5e0 c2798f7858b181c 4bb30f850c) 74ae801ac943d01 909a236a0a) 1b697e520a7533c c90516db1b) 000884dfec5ac22 2124cfbc6d) ae009cc8fb63771 60a126ea7b) tests/unit/ async_/ flows/plugins/ test_image_ conversion. py e04a65d34053115 7c94248c51 f2ce8e021d07d6f 351fb88c07)
Change-Id: Idf561f6306cebf
(cherry picked from commit 0d6282a01691cec
(cherry picked from commit 4967ab6935cfd02
(cherry picked from commit dc8e5a5cc7f5e9d
(cherry picked from commit f45b5f024e765f0
(cherry picked from commit 9a98c4a7d1358cd
Conflicts: glance/
- removed code related to missing tests - 050802dd67b9135
(cherry picked from commit 06e6be579156d8b