[MIR] heat-dashboard

Bug #1750576 reported by Corey Bryant
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
heat-dashboard (Ubuntu)
Fix Released
Undecided
Corey Bryant

Bug Description

[Availability]
Currently in universe.

[Rationale]
Heat-dashboard is part of OpenStack and provides a web based user interface for the heat project, which is an OpenStack orchestration service.

[Security]
No security history.

[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian.

[Dependencies]
All are in main.

[Standards Compliance]
FHS and Debian Policy compliant.

[Maintenance]
Simple python package that the OpenStack Team will take care of.

[Background]
Heat-dashboard is a Horizon plugin for Heat. Horizon provides a web based user interface to OpenStack services.

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

This is a complex javascript package, and there seems to be a heavy history of XSS issues with openstack dashboards. I'd be more confident if this was reviewed by the Security Team. They can optionally decide that I'm just being too paranoid ;)

Changed in heat-dashboard (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
status: New → Incomplete
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I reviewed heat-dashboard version 1.4.0-0ubuntu1 as checked into cosmic.
This shouldn't be considered a full audit but rather a quick gauge of
maintainability.

heat-dashboard is a web interface to the heat openstack orchestration
tool, which can help spin up repeatable instances of guests and networks.

- No CVEs in our database
- Huge list of build-depends, long enough I'll skip pasting it here
- pre/post inst/rm scripts mostly automatically added, but there is a
  section to "compress the JS and CSS"[1] that also uses a recursive
  chown. This is dangerous on many kernels.
- No init scripts
- No systemd units
- No dbus services
- No setuid
- No binaries in PATH
- No sudo fragments
- No udev rules
- There are some tests but I didn't see their results in the logs
- No cron jobs
- lintian failure in the build logs[2]

- No processes spawned
- No file IO
- Minimal logging, looked fine
- No environment use
- No privileged functions
- Random numbers are generated in Javascript for some reason; using safe
  sources before falling back to unsafe sources
- OpenStack settings OPENSTACK_SSL_NO_VERIFY and OPENSTACK_SSL_CACERT can
  configure TLS verification and trust root
- No temp files
- Extensive networking via django; a handful of inspected methods looked
  properly defensive
- No WebKit
- No PolicyKit

I also found and reported a potential problem with incorrectly escaped
URLs: https://storyboard.openstack.org/#!/story/2004454
I can't tell if this would break anything important or not.

Security team ACK for promoting heat-dashboard to main. I'd like to see
the chown -R removed but don't know what to suggest in its place.

Thanks

[1]: Note especially the 'chown -R' command; on kernels that follow
hardlinks from one uid to another, this can allow horizon to gain
ownership of any other files on the filesystem.

if [ "$1" = "configure" ] ; then
 # Compress the JS and CSS with python-compressor and python-lesscpy
 python /usr/share/openstack-dashboard/manage.py collectstatic --clear --noinput
 python /usr/share/openstack-dashboard/manage.py compress --force
 if [ -f '/var/lib/openstack-dashboard/secret-key/.secret_key_store' ]; then
  rm -f /var/lib/openstack-dashboard/secret-key/.secret_key_store
 fi
 if [ -d /var/lib/openstack-dashboard ]; then
  chown -R horizon:horizon /var/lib/openstack-dashboard
 fi
fi

[2]:
E: heat-dashboard source: source-is-missing xstatic/pkg/js_yaml/data/js-yaml.js line length is 846 characters (>512)
E: heat-dashboard source: source-is-missing heat_dashboard/static/dashboard/project/heat_dashboard/template_generator/js/libs/angular-material.js line length is 1539 characters (>512)
W: python-heat-dashboard: priority-extra-is-replaced-by-priority-optional
W: python-heat-dashboard: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:13
W: python3-heat-dashboard: priority-extra-is-replaced-by-priority-optional
W: python3-heat-dashboard: maintainer-script-should-not-use-recursive-chown-or-chmod postinst:13
W: heat-dashboard-common: priority-extra-is-replaced-by-priority-optional
E: heat-dashboard-common: python-package-missing-depends-on-python

Changed in heat-dashboard (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

I really don't like the fact that the tests are not being run for the package. In comparison, I'm not as worried about the use of chown -R in the maintainer scripts.

Since this MIR was opened, the package has landed in Debian. I think we'd really benefit from attempting to reconcile the two packages, especially since that might allow us to merge things and benefit from work (and bug fixing) being done in Debian.

Please attempt to fix the tests and merge the package with Debian, or provide an analysis why these are not possible.

Changed in heat-dashboard (Ubuntu):
assignee: nobody → Corey Bryant (corey.bryant)
Revision history for this message
Corey Bryant (corey.bryant) wrote :

Thanks for the reviews all. I've uploaded a new version of heat-dashboard to disco with tests running successfully.

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Thanks. MIR approved.

Changed in heat-dashboard (Ubuntu):
status: Incomplete → Fix Committed
Revision history for this message
Corey Bryant (corey.bryant) wrote :

This is seeded now.

Revision history for this message
Chris Halse Rogers (raof) wrote :

And now in main.

Is the Openstack team subscribed to heat-dashboard bugs?

Changed in heat-dashboard (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Chris MacNaughton (chris.macnaughton) wrote :

We are indeed subscribed to heat-dashboard bugs!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.