AttachVolume doesn't validate input
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Compute (nova) |
Fix Released
|
High
|
Unassigned | ||
Bug Description
user input is sent as a parameter to executed command
Steps:
--------
1) launch instances
2) create volume
3) attach instance to volume with device: "/dev/vda2; reboot"
Expected
-----------
API should throw an exception that device should be of format /dev/vd*
Actual
--------
api is executed and error shows up on compute node that virsh doesn't understand reboot.
Details:
--------
Since nova doesn't validate input (in the aws api), user input can be passed to the command line.
If you attach a volume via:
euca-attach-volume -i i-123123123 -d "/dev/vda; reboot" vol-123123123
the device is stored in the db as: /dev/vda; reboot
Then the attach method is dispatched to the compute node which executes:
nova/virt/
def attach_volume(self, instance_name, device_path, mountpoint):
yield process.
Luckily simple_execute is implemented in a way that ; reboot is sent to virsh instead of being ran as a shell command.
I've created a larger blueprint for addressing this in general - https:/
Related branches
- Vish Ishaya (community): Approve
- Jay Pipes (community): Approve
-
Diff: 21 lines (+4/-0)1 file modifiednova/api/ec2/cloud.py (+4/-0)
| Changed in nova: | |
| status: | New → Fix Committed |
| Changed in nova: | |
| milestone: | none → 2011.1 |
| status: | Fix Committed → Fix Released |
