[Yahoo-eng-team] [Bug 1771538] [NEW] PowerVM config drive path is not secure

Wed, 16 May 2018 02:41:51 -0700 

Public bug reported:

This report is based on the Bandit scanner results and code review.

1) 
On 
https://git.openstack.org/cgit/openstack/nova/tree/nova/virt/powervm/media.py?h=refs/heads/master#n44

43 _VOPT_SIZE_GB = 1
44 _VOPT_TMPDIR = '/tmp/cfgdrv/'
45

We have hardcoded tmp dir that could be cleaned up after compute node reboot.
As mentioned in todo it might be good to use conf option.

2) 
On 
https://git.openstack.org/cgit/openstack/nova/tree/nova/virt/powervm/media.py?h=refs/heads/master#n116
Predictable file name based on a user input is used:
116        file_name = pvm_util.sanitize_file_name_for_api(
117            instance.name, prefix='cfg_', suffix='.iso',
118            max_len=pvm_const.MaxLen.VOPT_NAME)
Probably we could use instance.uuid for that.

** Affects: nova
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1771538

Title:
  PowerVM config drive path is not secure

Status in OpenStack Compute (nova):
  New

Bug description:
  This report is based on the Bandit scanner results and code review.

  1) 
  On 
https://git.openstack.org/cgit/openstack/nova/tree/nova/virt/powervm/media.py?h=refs/heads/master#n44

  43 _VOPT_SIZE_GB = 1
  44 _VOPT_TMPDIR = '/tmp/cfgdrv/'
  45

  We have hardcoded tmp dir that could be cleaned up after compute node reboot.
  As mentioned in todo it might be good to use conf option.

  2) 
  On 
https://git.openstack.org/cgit/openstack/nova/tree/nova/virt/powervm/media.py?h=refs/heads/master#n116
  Predictable file name based on a user input is used:
  116        file_name = pvm_util.sanitize_file_name_for_api(
  117            instance.name, prefix='cfg_', suffix='.iso',
  118            max_len=pvm_const.MaxLen.VOPT_NAME)
  Probably we could use instance.uuid for that.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1771538/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to