Use of eval() on untrusted data
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Object Storage (swift) |
In Progress
|
Critical
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Swift's xprofile middleware runs eval() on untrusted, user-provided data. See https:/
This can be used for all manner of bad things: denial of service, data/config/secret exfiltration, remote code execution...
Some examples of the bad things that can be done:
curl http://
curl http://
curl http://
curl http://
curl http://
Affects swift>=2.0.0 (Juno and later). That is to say, all versions of Swift with the xprofile middleware.
Fix is simple: use int() instead of eval(). There's already sufficient error handling such that we'd instead respond with a 500 and a body like
Error on render profiling results: invalid literal for int() with base 10: '...'
Further steps should be taken to
- document that xprofile is a development tool not intended for production,
- maybe even remove xprofile from future releases (as I'm not aware of any developers that regularly use it), and
- understand why this wasn't caught when we run bandit in the gate.
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.
Given that "xprofile is a development tool not intended for production" I'm inclined to consider this a match for class B3 in our taxonomy ("A vulnerability in experimental or debugging features not intended for production use"): https:/ /security. openstack. org/vmt- process. html#report- taxonomy
If Swift folks and other VMT members agree with that assessment, we could just switch this to public and treat it as a normal bug with no need for a broadly-published security advisory.