Comment 21 for bug 2048114
Revision history for this message
| Takashi Kajinami (kajinamit) wrote Re: OpenStack Murano Component Information Leakage | #21 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
So I checked the example murano resources and it seems we can reproduce a similar behavior in heat. (example template and the resource show result are being attached).
One key difference is that in heat we explicitly pass a dictionary value[1], which makes yaql create a new frozendict instance[2]. So __globals__ does not get access to code in heat, but only instances available in [2] which do not contain severely sensitive information such as CONF.
[1] https:/
[2] https:/
However it still leaks a few system information like python versions or python path. What we can probably attempt here is to update yaql to reject a specific pattern like '{\s+.__\s+__\s+}' to avoid access to built-in functions. It should not break any existing valid usage in heat, at least.