I was looking at the migrations api, and I noticed that the api passes the request query unchecked to get_migrations, where it ultimately ends up in a db query. I was curious and spent a couple of hours checking this morning. There are a few instances of this.
I didn't find any security bugs, however I feel that this extremely bad practise, and is likely to result in a security bug eventually. For example, note that os-assisted-volume-snapshots:delete does not validate delete_info before passing it to volume_snapshot_delete. I looked at this quite carefully, and I think we are only protected from a host compromise because: 1. The api requires admin context 2. libvirt's security policy I could be wrong on that, though, so perhaps somebody else could check? Passing unvalidated input to a function isn't necessarily bad, for example if it is only used for filtering, but it should be clearly marked as such so it isn't used in an unsafe manner. This marking should follow the data as far as it goes through any number of function calls. libvirt's _volume_snapshot_delete function is a long way from the originating api call, and it is not at all obvious that the commit_base and commit_top arguments to virt_dom.blockCommit() are unvalidated. Does python have anything like perl's taint mode? If so, it might be worth investigating its use. Matt -- Matthew Booth Red Hat Engineering, Virtualisation Team Phone: +442070094448 (UK) GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
