barbican secrets API doesn't validate bit length
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Barbican |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
Submitter Provided Data:
Found in: dev
Severity: Low
Description: secrets API doesn't enforce bit length restrictions
Reproduction Steps:
Create a secret with bit length of zero, or a bit length that is not
a multiple of 8. Should reject these values, but it currently accepts them.
POST http://
{
"name": "AES key",
"algorithm": "aes",
"bit_length": 0,
"mode": "cbc",
"payload": "bababooey",
"payload_
}
Same test with bit_length set to 7 gives the same result (201) when it should fail with 400.
Test Cases: Failing:
test_negative_
test_negative_
Expected Behaviour: Should fail with HTTP 400
Actual Behavior: Succeds with HTTP 201 and secret is created in the database.
| Steve Heyman (sheyman) wrote | #1 |
| Changed in barbican: | |
| status: | New → Confirmed |
| Steve Heyman (sheyman) wrote | #2 |
| Changed in barbican: | |
| status: | Confirmed → Fix Released |
| Changed in barbican: | |
| status: | Fix Released → Fix Committed |
| John Vrbanac (john.vrbanac) wrote | #3 |
| Changed in barbican: | |
| milestone: | none → icehouse-2 |
| status: | Fix Committed → Fix Released |
While other parameter values for secrets API aren't (or can't) be validated at secret creation time, this one can. The wiki indicates that the value, if used, must be a positive integer. In addition, the validation code for orders requires that a secret bit length must be a multiple of 8. That validation code isn't used on the secret create API path so these values are currently passed through to the database as-is.