Cannot populate IF-MAP server i f resource contains character '<' or '>'

Bug #1364916 reported by Édouard Thuleau
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Juniper Openstack
Fix Released
Critical
Unassigned
OpenContrail
Fix Released
Critical
Unassigned

Bug Description

Cannot populate IF-MAP server if resource name contains character '<' or '>'.
The bug is more critical since the R1.10 release because the IF-MAP server is populated in one request. So all resources are not initialized if that request fail.

Reproduce it:
- When a config node running, create a virtual network with name "<script>alert(1);</script>": neutron net-create "<script>alert(1);</script>"
- Restart the config node: restart contrail-api
- Check the IF-MAP population: python /usr/lib/python2.7/dist-packages/schema_transformer/ifmap_view.py 127.0.0.1 8443 reader reader
MAP server connection = 127.0.0.1:8443
MAP server credentials = reader:reader
Start node = None
Skip List = ['id-perms']
Verbose = 0

The IF-MAP server is not populated. And we can see an error into irond logs:
[Fatal Error] :4:166: The value of attribute "name" associated with an element type "null" must not contain the '<' character.

Tags: config ifmap
Pedro Marques (5-roque)
Changed in opencontrail:
importance: Undecided → Critical
Pedro Marques (5-roque)
Changed in juniperopenstack:
importance: Undecided → Critical
tags: added: config
Revision history for this message
sajuptpm (sajuptpm) wrote :

I think, it is already fixed.
Tested with contrail 1.2

saju@myuuhost:~$ neutron net-create "<script>alert(1);</script>"
400-{u'NeutronError': {u'message': u"HTTP Status: 400 Content: Bad Request, name has one of invalid chars set([':', '<', '>'])", u'type': u'ContrailBadRequestError', u'detail': u''}}

Revision history for this message
liyifeng (307419146-q) wrote :
Download full text (3.9 KiB)

[root@controller2 utils]# contrail-version
Package Version Build-ID | Repo | RPM Name
-------------------------------------- ------------------------------ ----------------------------------
contrail-analytics 2.01-888.el6 888
contrail-config 2.01-888.el6 888
contrail-config-openstack 2.01-888.el6 888
contrail-control 2.01-888.el6 888
contrail-database 2.01-888.el6 888
contrail-dns 2.01-888.el6 888
contrail-fabric-utils 2.01-888 888
contrail-heat 2.01-888.el6 888
contrail-install-packages 2.01-888~icehouse.el6 contrail-install-packages-2.01-888~icehouse.el6.noarch
contrail-lib 2.01-888.el6 888
contrail-nodemgr 2.01-888.el6 888
contrail-openstack 2.01-888.el6 888
contrail-openstack-analytics 2.01-888.el6 888
contrail-openstack-config 2.01-888.el6 888
contrail-openstack-control 2.01-888.el6 888
contrail-openstack-database 2.01-888.el6 888
contrail-openstack-webui 2.01-888.el6 888
contrail-setup 2.01-888.el6 888
contrail-utils 2.01-888.el6 888
contrail-web-controller 2.01-888 888
contrail-web-core 2.01-888 888
neutron-plugin-contrail 2.01-888.el6 888
python-contrail 2.01-888.el6 888

[root@controller2 utils]# neutron net-create "<script>alert(1);</script>"
Created a new network:
+-------------------------+-----------------------------------------------------------------+
| Field | Value |
+-------------------------+-----------------------------------------------------------------+
| admin_state_up | True |
| contrail:fq_name | default-domain |
| | admin |
| | <script>alert(1);</script>-faccd887-d43c-4f1a-bd63-113c400d75ca |
| contrail:instance_count | 0 ...

Read more...

Sachin Bansal (sbansal)
Changed in juniperopenstack:
status: New → Fix Released
Changed in opencontrail:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.