Re: [openstack-dev] [Nova][Horizon] Is there precedent for validating user input on data types to APIs?
This looks like a good place to add a test to tempest to tickle the same behavior that horizon is driving. I expect this is another issue where we are expecting MySQL type coersion for the db, and something that will be exposed on the Postgresql Tempest run upstream. We have a standard pattern of fixing those in nova once we've got a test to demonstrate it. Longer term we really need to be doing more front side validation, perhaps the new v3 framework will let us get there more easily. -Sean On 07/14/2013 11:27 PM, Gabriel Hurley wrote: I responded on the ticket as well, but here’s my take: An error like this should absolutely be caught before it raises a database error. A useful, human-friendly error message should be returned via the API. Any uncaught exception is a bug. On the other side of the equation, anything using the API (such as Horizon) should do its best to pre-validate the input, but if invalid input **is** sent it should be handled well. The best way to let Horizon devs know what the problem is is for the API to return an intelligent failure. All the best, -Gabriel *From:*Dirk Müller [mailto:d...@dmllr.de] *Sent:* Sunday, July 14, 2013 5:20 PM *To:* OpenStack Development Mailing List *Subject:* Re: [openstack-dev] [Nova][Horizon] Is there precedent for validating user input on data types to APIs? Hi Matt, Given that the Nova API is public, this needs to be validated in the API, otherwise the security guys are unhappy. Of course the API shouldn't get bad data in the first place. That's a bug in nova client. I have sent reviews for both code fixes but I've not seen any serious reaction or approval on those for two weeks. Eventually somebody is going to look at it, I guess. Greetings, Dirk ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Sean Dague http://dague.net ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Nova][Horizon] Is there precedent for validating user input on data types to APIs?
I'm triaging nova bug 1199539 and trying to determine if this should be routed to Horizon, checked in the nova API layer, or just rejected as a usage error. In this case, the DB excepts an integer but an empty string is being passed in from the user via Horizon. I don't know if Horizon is doing type checking on user input already and if so, we should just route to Horizon? Or if this is something to check in the nova code itself (or just reject it)? Thanks, MATT RIEDEMANN Advisory Software Engineer Cloud Solutions and OpenStack Development Phone: 1-507-253-7622 | Mobile: 1-507-990-1889 E-mail: mrie...@us.ibm.com 3605 Hwy 52 N Rochester, MN 55901-1407 United States image/gif___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Nova][Horizon] Is there precedent for validating user input on data types to APIs?
I responded on the ticket as well, but here’s my take: An error like this should absolutely be caught before it raises a database error. A useful, human-friendly error message should be returned via the API. Any uncaught exception is a bug. On the other side of the equation, anything using the API (such as Horizon) should do its best to pre-validate the input, but if invalid input *is* sent it should be handled well. The best way to let Horizon devs know what the problem is is for the API to return an intelligent failure. All the best, - Gabriel From: Dirk Müller [mailto:d...@dmllr.de] Sent: Sunday, July 14, 2013 5:20 PM To: OpenStack Development Mailing List Subject: Re: [openstack-dev] [Nova][Horizon] Is there precedent for validating user input on data types to APIs? Hi Matt, Given that the Nova API is public, this needs to be validated in the API, otherwise the security guys are unhappy. Of course the API shouldn't get bad data in the first place. That's a bug in nova client. I have sent reviews for both code fixes but I've not seen any serious reaction or approval on those for two weeks. Eventually somebody is going to look at it, I guess. Greetings, Dirk ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev