[openstack-dev] [security] Script injection issue

TommyLike Hu tommylikehu at gmail.com
Fri Nov 17 08:22:31 UTC 2017


Hey all,
     Recently when we integrating and testing OpenStack services. We found
there is a potential script injection issue that some of our services
accept the input with special character [1] [2], for instance we can create
an instance or a volume with the name of '<script>script inside</script>'.
One of the possible solutions is add HTML encode/decode support in Horizon,
but it's not guaranteed every OpenStack user is using Horizon. So should we
apply more strict restriction on user's input?
     Also, I found  Google Cloud have a strict and explicit restrction in
their instance insert API document [3].

[1]: Nova:
https://github.com/openstack/nova/blob/master/nova/api/validation/parameter_types.py#L148
[2]: Cinder:
https://github.com/openstack/cinder/blob/master/cinder/api/openstack/wsgi.py#L1253
[3]: Google Cloud:
https://cloud.google.com/compute/docs/reference/latest/instances/insert

Thanks
TommyLike.Hu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171117/f57f38c4/attachment.html>


More information about the OpenStack-dev mailing list