tempest

test_novnc does not adequately validate websocket upgrade

Bug #1838777 reported by Leo Henken
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tempest
Fix Released
Undecided
Ghanshyam Mann

Bug Description

The test test_novnc attempts to validate a websocket upgrade by using an environment dependent configuration field named vnc_server_header. While this solution does work, it introduces a security concern and depends on a varying value that requires every environment to handle differently.

See original description
Leo Henken (lh236s)
description: updated
summary: - test_novnc fails when response header omits server name
+ test_novnc does not adequatly validate websocket_upgrade
summary: - test_novnc does not adequatly validate websocket_upgrade
+ test_novnc does not adequatly validate websocket upgrade
summary: - test_novnc does not adequatly validate websocket upgrade
+ test_novnc does not adequately validate websocket upgrade
Leo Henken (lh236s)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tempest (master)

Fix proposed to branch: master
Review: https://review.opendev.org/674364

Changed in tempest:
assignee: nobody → Leo Henken (lh236s)
status: New → In Progress
OpenStack Infra (hudson-openstack)
Changed in tempest:
assignee: Leo Henken (lh236s) → Ghanshyam Mann (ghanshyammann)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tempest (master)

Reviewed: https://review.opendev.org/674364
Committed: https://git.openstack.org/cgit/openstack/tempest/commit/?id=fd01d15d144caa4d5a482301d05cf724c75c4500
Submitter: Zuul
Branch: master

commit fd01d15d144caa4d5a482301d05cf724c75c4500
Author: Leo Henken <email address hidden>
Date: Fri Aug 2 11:42:52 2019 -0500

    Fix test_novnc to adequately validate websocket upgrade

    Currently, test_novnc validates the websocket upgrade by verifying
    that the websocket response reports a protocol switch and that the
    response includes a server name specified in the configuration
    field vnc_server_header. This explicit server name configuration
    field introduces a security concern and convolutes the code base.

    HTTP RFC7231 (https://tools.ietf.org/html/rfc7231) section 6.2.2
    says that when switching protocols, the response "MUST generate
    an Upgrade header field that indicates which protocols will be
    switched to".

    This patchset uses this required Upgrade field to validate the
    websocket upgrade instead of an environment-based configuration
    field, making the code base cleaner, safer, and more reliable.

    vnc_server_header is deprecated and necessary release notes are
    created.

    Change-Id: I5d3c9bdd0d20a15ade672f276dd0f24b654e3de5
    Closes-bug: #1838777
    Closes-bug: #1840788

Changed in tempest:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tempest 22.0.0

This issue was fixed in the openstack/tempest 22.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.