Fuel for OpenStack

Information Disclosure through Error Messages

Bug #1585160 reported by Adam Heczko
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Fix Released
High
Alex Schultz
Fuel for OpenStack 10.0
6.0.x
Invalid
High
Sergii Rizvan
Fuel for OpenStack 6.0-updates
6.1.x
Fix Released
High
Sergii Rizvan
Fuel for OpenStack 6.1-mu-7
7.0.x
Fix Released
High
Sergii Rizvan
Fuel for OpenStack 7.0-mu-5
8.0.x
Fix Released
High
Sergii Rizvan
Fuel for OpenStack 8.0-mu-3
Mitaka
Fix Released
High
Maksim Malchuk
Fuel for OpenStack 9.0

Bug Description

Detailed bug description:
Error messages were found on the server which disclosed SQL Code.

Steps to reproduce:
Access Fuel API and enter wrong request. Observe error response.

Expected results:
Short notice on error encountered.

Actual result:
Detailed information with description of SQL fields being evaluated.

Revision history for this message
Dmitry Pyzhov (dpyzhov) wrote :

Medium priority bugs should be targeted to 10.0 because we passed SCF in 9.0.

Changed in fuel:
milestone: 9.0 → 10.0
assignee: nobody → Fuel Python (Deprecated) (fuel-python)
status: New → Confirmed
tags: added: area-python
Changed in fuel:
assignee: Fuel Python (Deprecated) (fuel-python) → Fuel Sustaining (fuel-sustaining-team)
Revision history for this message
Dmitry Pyzhov (dpyzhov) wrote :

Could you show exact error messages, please?

Changed in fuel:
status: Confirmed → Incomplete
Revision history for this message
Liubov Efremova (lefremova) wrote :
Revision history for this message
Liubov Efremova (lefremova) wrote :
Changed in fuel:
status: Incomplete → Confirmed
importance: Medium → High
Revision history for this message
Liubov Efremova (lefremova) wrote :

Change importance to high as our customer needs this fix ASAP.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-web (master)

Fix proposed to branch: master
Review: https://review.openstack.org/326211

Changed in fuel:
assignee: Fuel Sustaining (fuel-sustaining-team) → Alex Schultz (alex-schultz)
status: Confirmed → In Progress
OpenStack Infra (hudson-openstack)
Changed in fuel:
assignee: Alex Schultz (alex-schultz) → Georgy Kibardin (gkibardin)
Georgy Kibardin (gkibardin)
Changed in fuel:
assignee: Georgy Kibardin (gkibardin) → Alex Schultz (alex-schultz)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-web (master)

Reviewed: https://review.openstack.org/326211
Committed: https://git.openstack.org/cgit/openstack/fuel-web/commit/?id=6e5c7474ae1378b3cbd6cc45d0b973a1101cdf83
Submitter: Jenkins
Branch: master

commit 6e5c7474ae1378b3cbd6cc45d0b973a1101cdf83
Author: Alex Schultz <email address hidden>
Date: Mon Jun 6 20:43:03 2016 -0600

    Validate node id for log handler

    This change updates the log handler to validate that the node id being
    passed in is an integer. If it is not an integer, the response will be a
    400.

    Change-Id: Ida7a18a7261bf7fa98518a059d1de42690382d79
    Closes-Bug: #1585160

Changed in fuel:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-web (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/326719

Revision history for this message
Liubov Efremova (lefremova) wrote :
Changed in fuel:
status: Fix Committed → Confirmed
Revision history for this message
Liubov Efremova (lefremova) wrote :

It seems we should solve more general problem with disclosed SQL requests in log messages.

Revision history for this message
Andrey Maximov (maximov) wrote :

@Liubov, yes but this should be reported as a separate issue.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-web (stable/mitaka)

Reviewed: https://review.openstack.org/326719
Committed: https://git.openstack.org/cgit/openstack/fuel-web/commit/?id=65979423b625b5665a69a588ac96ac29a71ea5db
Submitter: Jenkins
Branch: stable/mitaka

commit 65979423b625b5665a69a588ac96ac29a71ea5db
Author: Alex Schultz <email address hidden>
Date: Mon Jun 6 20:43:03 2016 -0600

    Validate node id for log handler

    This change updates the log handler to validate that the node id being
    passed in is an integer. If it is not an integer, the response will be a
    400.

    Change-Id: Ida7a18a7261bf7fa98518a059d1de42690382d79
    Closes-Bug: #1585160
    (cherry picked from commit 6e5c7474ae1378b3cbd6cc45d0b973a1101cdf83)

Maksim Malchuk (mmalchuk)
Changed in fuel:
status: Confirmed → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-web (master)

Fix proposed to branch: master
Review: https://review.openstack.org/327284

Revision history for this message
Alex Schultz (alex-schultz) wrote :

FYI, https://review.openstack.org/327284 will catch any possible case as it removes the printing of uncaught exceptions. We probably should reopen this one the first fix only addressed the reporting validation issue

Changed in fuel:
status: Fix Committed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-web (master)

Reviewed: https://review.openstack.org/327284
Committed: https://git.openstack.org/cgit/openstack/fuel-web/commit/?id=f121a0c3225b86e59c347c57b9a1c5383dc8127e
Submitter: Jenkins
Branch: master

commit f121a0c3225b86e59c347c57b9a1c5383dc8127e
Author: Alex Schultz <email address hidden>
Date: Wed Jun 8 12:55:31 2016 -0600

    Do not print unhandled exception if in production

    This change removes the printing of unhandled exceptions when not in
    development mode. We should never return the unhandled exception
    information when not in development mode.

    Change-Id: I820f5682d0fac292722a9f205965516771333a4d
    Closes-Bug: #1585160

Changed in fuel:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-web (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/327541

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-web (stable/mitaka)

Reviewed: https://review.openstack.org/327541
Committed: https://git.openstack.org/cgit/openstack/fuel-web/commit/?id=c61fbc616fc6763c358ad70dac37341f65ddcb19
Submitter: Jenkins
Branch: stable/mitaka

commit c61fbc616fc6763c358ad70dac37341f65ddcb19
Author: Alex Schultz <email address hidden>
Date: Wed Jun 8 12:55:31 2016 -0600

    Do not print unhandled exception if in production

    This change removes the printing of unhandled exceptions when not in
    development mode. We should never return the unhandled exception
    information when not in development mode.

    Change-Id: I820f5682d0fac292722a9f205965516771333a4d
    Closes-Bug: #1585160
    (cherry picked from commit f121a0c3225b86e59c347c57b9a1c5383dc8127e)

Oleksiy Molchanov (omolchanov)
tags: added: on-verification
Revision history for this message
Oleksiy Molchanov (omolchanov) wrote :

Verified on #465. Passed.

Oleksiy Molchanov (omolchanov)
tags: removed: on-verification
Adam Heczko (aheczko-mirantis)
tags: added: feature-security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-web (stable/8.0)

Fix proposed to branch: stable/8.0
Review: https://review.openstack.org/332717

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: stable/8.0
Review: https://review.openstack.org/332732

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-web (stable/7.0)

Fix proposed to branch: stable/7.0
Review: https://review.openstack.org/333413

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: stable/7.0
Review: https://review.openstack.org/333416

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-web (stable/6.1)

Fix proposed to branch: stable/6.1
Review: https://review.openstack.org/336035

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: stable/6.1
Review: https://review.openstack.org/336036

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-web (stable/6.1)

Reviewed: https://review.openstack.org/336036
Committed: https://git.openstack.org/cgit/openstack/fuel-web/commit/?id=8269d6d91a522fc79d1ec93a4396644288e26a65
Submitter: Jenkins
Branch: stable/6.1

commit 8269d6d91a522fc79d1ec93a4396644288e26a65
Author: Alex Schultz <email address hidden>
Date: Mon Jun 6 20:43:03 2016 -0600

    Validate node id for log handler

    This change updates the log handler to validate that the node id being
    passed in is an integer. If it is not an integer, the response will be a
    400.

    Change-Id: Ida7a18a7261bf7fa98518a059d1de42690382d79
    Closes-Bug: #1585160
    (cherry picked from commit dd670526abc95e5c15e332ff06276180a41f5af0)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/336035
Committed: https://git.openstack.org/cgit/openstack/fuel-web/commit/?id=dfb0766b596a3a92eedf197695187744c8730ade
Submitter: Jenkins
Branch: stable/6.1

commit dfb0766b596a3a92eedf197695187744c8730ade
Author: Georgy Kibardin <email address hidden>
Date: Thu Mar 24 14:42:48 2016 +0300

    Do not print unhandled exception if in production

    This change removes the printing of unhandled exceptions when not in
    development mode. We should never return the unhandled exception
    information when not in development mode.

    Logging nailgun exceptions
    Now there is a special "processor" devoted to this

    Change-Id: I820f5682d0fac292722a9f205965516771333a4d
    Closes-Bug: #1585160
    (cherry picked from commit ffcc5b59e9dab0abb49173d2c43e092e26b20a37)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-web (stable/7.0)

Reviewed: https://review.openstack.org/333416
Committed: https://git.openstack.org/cgit/openstack/fuel-web/commit/?id=dd670526abc95e5c15e332ff06276180a41f5af0
Submitter: Jenkins
Branch: stable/7.0

commit dd670526abc95e5c15e332ff06276180a41f5af0
Author: Alex Schultz <email address hidden>
Date: Mon Jun 6 20:43:03 2016 -0600

    Validate node id for log handler

    This change updates the log handler to validate that the node id being
    passed in is an integer. If it is not an integer, the response will be a
    400.

    Change-Id: Ida7a18a7261bf7fa98518a059d1de42690382d79
    Closes-Bug: #1585160
    (cherry picked from commit 97917947549274fb54f58342eb7740249bd5ce0a)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-web (stable/6.0)

Fix proposed to branch: stable/6.0
Review: https://review.openstack.org/338159

Revision history for this message
Sergii Rizvan (srizvan) wrote :

For 6.0 bug isn't reproduced:
If try to send wrong request to the API like this:
http://<IP ADDRESS>:8000/api/logs?node=1'&source=install/puppet&level=INFO&_=1467796878668
We will receive simple message without SQL output:
'internal server error'
That's why I am about to close the bug for 6.0 as invalid and abandon the fix for 6.0.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on fuel-web (stable/6.0)

Change abandoned by Sergii Rizvan (<email address hidden>) on branch: stable/6.0
Review: https://review.openstack.org/338159
Reason: The bug isn't reproduced on 6.0. That's why I'm abandoning this change.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-web (stable/7.0)

Reviewed: https://review.openstack.org/333413
Committed: https://git.openstack.org/cgit/openstack/fuel-web/commit/?id=ffcc5b59e9dab0abb49173d2c43e092e26b20a37
Submitter: Jenkins
Branch: stable/7.0

commit ffcc5b59e9dab0abb49173d2c43e092e26b20a37
Author: Georgy Kibardin <email address hidden>
Date: Thu Mar 24 14:42:48 2016 +0300

    Do not print unhandled exception if in production

    This change removes the printing of unhandled exceptions when not in
    development mode. We should never return the unhandled exception
    information when not in development mode.

    Logging nailgun exceptions
    Now there is a special "processor" devoted to this

    Change-Id: I820f5682d0fac292722a9f205965516771333a4d
    Closes-Bug: #1585160
    (cherry picked from commit 8b3679c5abc3baefd22840ce32d37731f6bb00bb)

Dmitry Belyaninov (dbelyaninov)
tags: added: on-verification
Revision history for this message
Dmitry Belyaninov (dbelyaninov) wrote :

Verified on 6.1 MU7

http://172.16.168.102:8000/api/logs?node=1'&source=install/puppet&level=INFO&_=1467796878668

Before:
(DataError) invalid input syntax for integer: "2'" LINE 3: WHERE nodes.id = '2''' ^ 'SELECT nodes.id AS nodes_id, nodes.uuid AS nodes_uuid, nodes.cluster_id AS nodes_cluster_id, nodes.group_id AS nodes_group_id, nodes.name AS nodes_name, nodes.status AS nodes_status, nodes.meta AS nodes_meta, nodes.mac AS nodes_mac, nodes.ip AS nodes_ip, nodes.fqdn AS nodes_fqdn, nodes.manufacturer AS nodes_manufacturer, nodes.platform_name AS nodes_platform_name, nodes.kernel_params AS nodes_kernel_params, nodes.progress AS nodes_progress, nodes.os_platform AS nodes_os_platform, nodes.pending_addition AS nodes_pending_addition, nodes.pending_deletion AS nodes_pending_deletion, nodes.error_type AS nodes_error_type, nodes.error_msg AS nodes_error_msg, nodes.timestamp AS nodes_timestamp, nodes.online AS nodes_online, nodes.agent_checksum AS nodes_agent_checksum, nodes.replaced_deployment_info AS nodes_replaced_deployment_info, nodes.replaced_provisioning_info AS nodes_replaced_provisioning_info \nFROM nodes \nWHERE nodes.id = %(param_1)s' {'param_1': u"2'"}

After:
{"message": "Invalid 'node' value", "errors": []}

tags: removed: on-verification
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-web (stable/8.0)

Reviewed: https://review.openstack.org/332732
Committed: https://git.openstack.org/cgit/openstack/fuel-web/commit/?id=97917947549274fb54f58342eb7740249bd5ce0a
Submitter: Jenkins
Branch: stable/8.0

commit 97917947549274fb54f58342eb7740249bd5ce0a
Author: Alex Schultz <email address hidden>
Date: Mon Jun 6 20:43:03 2016 -0600

    Validate node id for log handler

    This change updates the log handler to validate that the node id being
    passed in is an integer. If it is not an integer, the response will be a
    400.

    Change-Id: Ida7a18a7261bf7fa98518a059d1de42690382d79
    Closes-Bug: #1585160
    (cherry picked from commit 65979423b625b5665a69a588ac96ac29a71ea5db)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/332717
Committed: https://git.openstack.org/cgit/openstack/fuel-web/commit/?id=8b3679c5abc3baefd22840ce32d37731f6bb00bb
Submitter: Jenkins
Branch: stable/8.0

commit 8b3679c5abc3baefd22840ce32d37731f6bb00bb
Author: Georgy Kibardin <email address hidden>
Date: Thu Mar 24 14:42:48 2016 +0300

    Do not print unhandled exception if in production

    This change removes the printing of unhandled exceptions when not in
    development mode. We should never return the unhandled exception
    information when not in development mode.

    Logging nailgun exceptions
    Now there is a special "processor" devoted to this

    Change-Id: I820f5682d0fac292722a9f205965516771333a4d
    Closes-Bug: #1585160
    (cherry picked from commit c61fbc616fc6763c358ad70dac37341f65ddcb19)

Ekaterina Shutova (eshutova)
tags: added: on-verification
Revision history for this message
Ekaterina Shutova (eshutova) wrote :

Verified on MOS 7.0 + MU5 updates.

Try: http://10.109.10.2:8000/api/logs?node=1'&source=install/puppet&level=INFO&_=1467796878668
Before:
(DataError) invalid input syntax for integer: "1'" LINE 3: WHERE nodes.id = '1''' ^ 'SELECT nodes.id AS nodes_id, nodes.uuid AS nodes_uuid, nodes.cluster_id AS nodes_cluster_id, nodes.group_id AS nodes_group_id, nodes.name AS nodes_name, nodes.status AS nodes_status, nodes.meta AS nodes_meta, nodes.mac AS nodes_mac, nodes.ip AS nodes_ip, nodes.hostname AS nodes_hostname, nodes.manufacturer AS nodes_manufacturer, nodes.platform_name AS nodes_platform_name, nodes.kernel_params AS nodes_kernel_params, nodes.progress AS nodes_progress, nodes.os_platform AS nodes_os_platform, nodes.pending_addition AS nodes_pending_addition, nodes.pending_deletion AS nodes_pending_deletion, nodes.error_type AS nodes_error_type, nodes.error_msg AS nodes_error_msg, nodes.timestamp AS nodes_timestamp, nodes.online AS nodes_online, nodes.labels AS nodes_labels, nodes.roles AS nodes_roles, nodes.pending_roles AS nodes_pending_roles, nodes.primary_roles AS nodes_primary_roles, nodes.agent_checksum AS nodes_agent_checksum, nodes.replaced_deployment_info AS nodes_replaced_deployment_info, nodes.replaced_provisioning_info AS nodes_replaced_provisioning_info, nodes.network_template AS nodes_network_template, nodes.extensions AS nodes_extensions \nFROM nodes \nWHERE nodes.id = %(param_1)s' {'param_1': u"1'"}
After:
{"message": "Invalid 'node' value", "errors": []}

tags: removed: on-verification
Ekaterina Shutova (eshutova)
tags: added: on-verification
Revision history for this message
Ekaterina Shutova (eshutova) wrote :

Verified on MOS 7.0 + MU5 updates.

Try: http://10.109.15.2:8000/api/logs?node=1'&source=install/puppet&level=INFO&_=1467796878668
Before:
(psycopg2.DataError) invalid input syntax for integer: "1'" LINE 3: WHERE nodes.id = '1''' ^ [SQL: 'SELECT nodes.id AS nodes_id, nodes.uuid AS nodes_uuid, nodes.cluster_id AS nodes_cluster_id, nodes.group_id AS nodes_group_id, nodes.name AS nodes_name, nodes.status AS nodes_status, nodes.meta AS nodes_meta, nodes.mac AS nodes_mac, nodes.ip AS nodes_ip, nodes.hostname AS nodes_hostname, nodes.manufacturer AS nodes_manufacturer, nodes.platform_name AS nodes_platform_name, nodes.kernel_params AS nodes_kernel_params, nodes.progress AS nodes_progress, nodes.os_platform AS nodes_os_platform, nodes.pending_addition AS nodes_pending_addition, nodes.pending_deletion AS nodes_pending_deletion, nodes.error_type AS nodes_error_type, nodes.error_msg AS nodes_error_msg, nodes.timestamp AS nodes_timestamp, nodes.online AS nodes_online, nodes.labels AS nodes_labels, nodes.roles AS nodes_roles, nodes.pending_roles AS nodes_pending_roles, nodes.primary_roles AS nodes_primary_roles, nodes.agent_checksum AS nodes_agent_checksum, nodes.replaced_deployment_info AS nodes_replaced_deployment_info, nodes.replaced_provisioning_info AS nodes_replaced_provisioning_info, nodes.network_template AS nodes_network_template, nodes.extensions AS nodes_extensions \nFROM nodes \nWHERE nodes.id = %(param_1)s'] [parameters: {'param_1': u"1'"}]

After:
{"message": "Invalid 'node' value", "errors": []}

tags: removed: on-verification
Ekaterina Shutova (eshutova)
tags: added: on-verification
Revision history for this message
Ekaterina Shutova (eshutova) wrote :

Verified on 10.1 #1578.
[root@nailgun ~]# curl -s -X GET -H "X-Auth-Token: $VALID_TOKEN" http://10.109.10.2:8000/api/logs?node=1&source=install/puppet&level=INFO&_=1467796878668
[1] 19666
[2] 19667
[3] 19668
[root@nailgun ~]# {"message": "'source' must be specified", "errors": []}

tags: removed: on-verification
Changed in fuel:
status: Fix Committed → Fix Released
Revision history for this message
Maksim Malchuk (mmalchuk) wrote :

Ekaterina, you actually didn't test the whole url, because forgot to enclose it in the quotes.

tags: added: on-verification
Changed in fuel:
status: Fix Released → Fix Committed
Revision history for this message
Ekaterina Shutova (eshutova) wrote :

Re-verified on 10.1 #1578.
We get "400 bad request" status code in response to to http://10.109.15.2:8000/api/logs?node=1'&source=install/puppet&level=INFO&_=1467796878668
Screenshot is attached.

Ekaterina Shutova (eshutova)
Changed in fuel:
status: Fix Committed → Fix Released
tags: removed: on-verification
Revision history for this message
Maksim Malchuk (mmalchuk) wrote :

You've got the 400 error due to invalid (reserved) characters in the url. At least two characters: apostrophe and slash. Both must be percent-encoded. https://en.wikipedia.org/wiki/Percent-encoding#Percent-encoding_reserved_characters

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.