OpenStack Compute (nova)

some legacy v2 API lose the protection of json-schema

  1. Series newton
  2. Bug #1701451
Bug #1701451 reported by Alex Xu
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Alex Xu
Newton
Fix Committed
Medium
Alex Xu
Ocata
Fix Committed
Medium
Alex Xu

Bug Description

The JSON-Schema support to validate the input for the legacy v2 compatible mode, and for the legacy v2 request, it won't return 400 for extra invalid parameters, instead by filter the extra parameters out of the input body to protect the API break by the extra parameters.

https://github.com/openstack/nova/blob/68bbddd8aea8f8b2d671e0d675524a1e568eb773/nova/api/openstack/compute/evacuate.py#L75

https://github.com/openstack/nova/blob/68bbddd8aea8f8b2d671e0d675524a1e568eb773/nova/api/openstack/compute/migrate_server.py#L66

https://github.com/openstack/nova/blob/68bbddd8aea8f8b2d671e0d675524a1e568eb773/nova/api/openstack/compute/server_groups.py#L166

Those should be fixed to cover the legacy v2 request, and back-port the fix.

Alex Xu (xuhj)
Changed in nova:
assignee: nobody → Alex Xu (xuhj)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/479170

Changed in nova:
status: New → In Progress
OpenStack Infra (hudson-openstack)
Changed in nova:
assignee: Alex Xu (xuhj) → Matt Riedemann (mriedem)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/479197

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/479201

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/479170
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=aaeea4bf39377c4109f6b2857794ee0e7d51e786
Submitter: Jenkins
Branch: master

commit aaeea4bf39377c4109f6b2857794ee0e7d51e786
Author: He Jie Xu <email address hidden>
Date: Fri Jun 30 14:47:20 2017 +0800

    Ensure the JSON-Schema covers the legacy v2 API

    The legacy v2 API compatible mode support the protection of JSON-Schema.
    The input body will be validated with JSON-Schema, and the extra invalid
    parameters will be filtered out of the input body instead of return
    HTTPBadRequest 400.

    But some of API are missing that protection, the JSON-Schema validation
    was limited to the v2.1 API. This patch ensures those schema covers the
    legacy v2 API.

    Change-Id: Ie165b2a79efd56a299d2d4ebe40a6904a340414f
    Closes-Bug: #1701451

Changed in nova:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (stable/ocata)

Change abandoned by Alex Xu (<email address hidden>) on branch: stable/ocata
Review: https://review.openstack.org/479197

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (stable/newton)

Change abandoned by Alex Xu (<email address hidden>) on branch: stable/newton
Review: https://review.openstack.org/479201

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 16.0.0.0b3

This issue was fixed in the openstack/nova 16.0.0.0b3 development milestone.

Matt Riedemann (mriedem)
Changed in nova:
assignee: Matt Riedemann (mriedem) → Alex Xu (xuhj)
importance: Undecided → Medium
Matt Riedemann (mriedem)
tags: added: api
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/ocata)

Reviewed: https://review.openstack.org/479197
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=48fe8d17e38193c63b6aea98d73ce13a835cd0d0
Submitter: Jenkins
Branch: stable/ocata

commit 48fe8d17e38193c63b6aea98d73ce13a835cd0d0
Author: He Jie Xu <email address hidden>
Date: Fri Jun 30 14:47:20 2017 +0800

    Ensure the JSON-Schema covers the legacy v2 API

    The legacy v2 API compatible mode support the protection of JSON-Schema.
    The input body will be validated with JSON-Schema, and the extra invalid
    parameters will be filtered out of the input body instead of return
    HTTPBadRequest 400.

    But some of API are missing that protection, the JSON-Schema validation
    was limited to the v2.1 API. This patch ensures those schema covers the
    legacy v2 API.

    Change-Id: Ie165b2a79efd56a299d2d4ebe40a6904a340414f
    Closes-Bug: #1701451
    (cherry picked from commit aaeea4bf39377c4109f6b2857794ee0e7d51e786)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/newton)

Reviewed: https://review.openstack.org/479201
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=f1cf54df9a80f87f4e4b497db587f24eea25523d
Submitter: Jenkins
Branch: stable/newton

commit f1cf54df9a80f87f4e4b497db587f24eea25523d
Author: He Jie Xu <email address hidden>
Date: Fri Jun 30 14:47:20 2017 +0800

    Ensure the JSON-Schema covers the legacy v2 API

    The legacy v2 API compatible mode support the protection of JSON-Schema.
    The input body will be validated with JSON-Schema, and the extra invalid
    parameters will be filtered out of the input body instead of return
    HTTPBadRequest 400.

    But some of API are missing that protection, the JSON-Schema validation
    was limited to the v2.1 API. This patch ensures those schema covers the
    legacy v2 API.

    Change-Id: Ie165b2a79efd56a299d2d4ebe40a6904a340414f
    Closes-Bug: #1701451
    (cherry picked from commit aaeea4bf39377c4109f6b2857794ee0e7d51e786)
    (cherry picked from commit 934bc02f9d33a343de145e68fc174932d2f75625)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 15.0.7

This issue was fixed in the openstack/nova 15.0.7 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 14.0.8

This issue was fixed in the openstack/nova 14.0.8 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to nova (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/540154

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to nova (master)

Reviewed: https://review.openstack.org/540154
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=7db20191206be454175e069cab08107a8c4fbe6f
Submitter: Zuul
Branch: master

commit 7db20191206be454175e069cab08107a8c4fbe6f
Author: Matt Riedemann <email address hidden>
Date: Thu Feb 1 16:56:07 2018 -0500

    Ensure the JSON-Schema covers the legacy v2 API

    Similar to change Ie165b2a79efd56a299d2d4ebe40a6904a340414f,
    these were some other APIs missing 2.0 for the query schema
    lower-bound which means v2.0 requests weren't getting validated
    by the schema.

    Change-Id: I1b0fc5dfd424b42e381e5c3b703cf7473b9fcbcb
    Related-Bug: #1701451

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to nova (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/543490

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to nova (stable/queens)

Reviewed: https://review.openstack.org/543490
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=fb4b60a3af242892a4460a251ff067e00c47e43f
Submitter: Zuul
Branch: stable/queens

commit fb4b60a3af242892a4460a251ff067e00c47e43f
Author: Matt Riedemann <email address hidden>
Date: Thu Feb 1 16:56:07 2018 -0500

    Ensure the JSON-Schema covers the legacy v2 API

    Similar to change Ie165b2a79efd56a299d2d4ebe40a6904a340414f,
    these were some other APIs missing 2.0 for the query schema
    lower-bound which means v2.0 requests weren't getting validated
    by the schema.

    Change-Id: I1b0fc5dfd424b42e381e5c3b703cf7473b9fcbcb
    Related-Bug: #1701451
    (cherry picked from commit 7db20191206be454175e069cab08107a8c4fbe6f)

tags: added: in-stable-queens
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.