python-keystoneclient

session fails to sanitize response body of passwords

Bug #1490693 reported by Matt Riedemann on 2015-08-31

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	python-keystoneclient	Fix Released	High	Matt Riedemann	python-keystoneclient 1.7.0 "1.7.0"

Bug Description

Seeing this in the n-cpu logs when nova calls the os-initialize_connection API via python-cinderclient and cinder returns a response body with credentials in it:

http://logs.openstack.org/66/218666/1/check/gate-tempest-dsvm-full/3ac1f2b/logs/screen-n-cpu.txt.gz#_2015-08-30_16_33_09_578

keystoneclient.session is logging the response body without sanitizing it first.

2015-08-30 16:33:09.578 DEBUG keystoneclient.session [req-ff63c358-41b0-4aac-8d8c-e369d82a0d5e tempest-TestMinimumBasicScenario-472140388 tempest-TestMinimumBasicScenario-192291337] REQ: curl -g -i -X POST http://127.0.0.1:8776/v2/8a98625b8c5445afbc72496ce2f7ab7f/volumes/744d2085-8e78-40a5-8659-ef3cffb2480e/action -H "User-Agent: python-cinderclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}fbdcb6c88ebb8ec83181b62e338a1a4b909f7031" -d '{"os-initialize_connection": {"connector": {"initiator": "iqn.1993-08.org.debian:01:f991bccc0", "ip": "172.99.69.228", "platform": "x86_64", "host": "devstack-trusty-rax-iad-4640004", "os_type": "linux2", "multipath": false}}}' _http_log_request /usr/local/lib/python2.7/dist-packages/keystoneclient/session.py:195
2015-08-30 16:33:10.674 DEBUG keystoneclient.session [req-ff63c358-41b0-4aac-8d8c-e369d82a0d5e tempest-TestMinimumBasicScenario-472140388 tempest-TestMinimumBasicScenario-192291337] RESP: [200] content-length: 447 x-compute-request-id: req-747a68eb-f62e-4a43-aa8a-ff332c92783d connection: keep-alive date: Sun, 30 Aug 2015 16:33:10 GMT content-type: application/json x-openstack-request-id: req-747a68eb-f62e-4a43-aa8a-ff332c92783d
RESP BODY: {"connection_info": {"driver_volume_type": "iscsi", "data": {"auth_password": "FF5vCvAvks8iQ2Vx", "target_discovered": false, "encrypted": false, "qos_specs": null, "target_iqn": "iqn.2010-10.org.openstack:volume-744d2085-8e78-40a5-8659-ef3cffb2480e", "target_portal": "172.99.69.228:3260", "volume_id": "744d2085-8e78-40a5-8659-ef3cffb2480e", "target_lun": 1, "access_mode": "rw", "auth_username": "82tvLceDnfHjg6jrTwpq", "auth_method": "CHAP"}}}

Tags:

Matt Riedemann (mriedem) on 2015-08-31

Changed in python-keystoneclient:
status:	New → Confirmed
assignee:	nobody → Matt Riedemann (mriedem)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-31: Fix proposed to python-keystoneclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/219004

Changed in python-keystoneclient:
status:	Confirmed → In Progress

Lance Bragstad (lbragstad) on 2015-08-31

Changed in python-keystoneclient:
importance:	Undecided → High

Matthew Edmonds (edmondsw) on 2015-08-31

tags:

added: security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-03: Fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/219004
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=3e26ff824801d5084791a52980021784e794e35f
Submitter: Jenkins
Branch: master

commit 3e26ff824801d5084791a52980021784e794e35f
Author: Matt Riedemann <email address hidden>
Date: Mon Aug 31 12:32:25 2015 -0700

Mask passwords when logging the HTTP response

    We should sanitize the response body before logging to make sure we
    aren't leaking through credentials like in the case of the response from
    the os-initialize_connection volume API.

Closes-Bug: #1490693

Change-Id: Ifd95d3fb624b4636fb72cc11762af62e00a026a0

Changed in python-keystoneclient:
status:	In Progress → Fix Committed

Doug Hellmann (doug-hellmann) on 2015-09-04

Changed in python-keystoneclient:
milestone:	none → 1.7.0
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-09: Fix proposed to python-keystoneclient (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/233111

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-15: Fix merged to python-keystoneclient (stable/kilo)

Reviewed: https://review.openstack.org/233111
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=ec70eb02f8a5889828cde786694283240f64c5c4
Submitter: Jenkins
Branch: stable/kilo

commit ec70eb02f8a5889828cde786694283240f64c5c4
Author: Matt Riedemann <email address hidden>
Date: Mon Aug 31 12:32:25 2015 -0700

Mask passwords when logging the HTTP response

    We should sanitize the response body before logging to make sure we
    aren't leaking through credentials like in the case of the response from
    the os-initialize_connection volume API.

Closes-Bug: #1490693

NOTE(mriedem): The test is slightly different in kilo because the
_http_log_response method requires kwargs.

Change-Id: Ifd95d3fb624b4636fb72cc11762af62e00a026a0
(cherry picked from commit 3e26ff824801d5084791a52980021784e794e35f)

tags:

added: in-stable-kilo

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-20: Change abandoned on python-keystoneclient (feature/keystoneauth_integration)

Change abandoned by Steve Martinelli (<email address hidden>) on branch: feature/keystoneauth_integration
Review: https://review.openstack.org/218269
Reason: need to abandon in order to delete branch

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.