[openstack-dev] [security] [api] Script injection issue

Adam Heczko aheczko at mirantis.com
Fri Nov 17 12:33:23 UTC 2017


Thanks TommyLike for this bug report. Sounds like Stored XSS [1].
Could you please share more details, e.g. branch / release, APIs tested
etc.?

[1] https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting

On Fri, Nov 17, 2017 at 12:36 PM, Davanum Srinivas <davanum at gmail.com>
wrote:

> Adding [api] to make sure the API (SIG?) sees this too
>
> On Fri, Nov 17, 2017 at 3:22 AM, TommyLike Hu <tommylikehu at gmail.com>
> wrote:
> > Hey all,
> >      Recently when we integrating and testing OpenStack services. We
> found
> > there is a potential script injection issue that some of our services
> accept
> > the input with special character [1] [2], for instance we can create an
> > instance or a volume with the name of '<script>script inside</script>'.
> One
> > of the possible solutions is add HTML encode/decode support in Horizon,
> but
> > it's not guaranteed every OpenStack user is using Horizon. So should we
> > apply more strict restriction on user's input?
> >      Also, I found  Google Cloud have a strict and explicit restrction in
> > their instance insert API document [3].
> >
> > [1]: Nova:
> > https://github.com/openstack/nova/blob/master/nova/api/
> validation/parameter_types.py#L148
> > [2]: Cinder:
> > https://github.com/openstack/cinder/blob/master/cinder/api/
> openstack/wsgi.py#L1253
> > [3]: Google Cloud:
> > https://cloud.google.com/compute/docs/reference/latest/instances/insert
> >
> > Thanks
> > TommyLike.Hu
> >
> >
> >
> > ____________________________________________________________
> ______________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:
> unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
>
>
> --
> Davanum Srinivas :: https://twitter.com/dims
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 
Adam Heczko
Security Engineer @ Mirantis Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171117/4843c714/attachment.html>


More information about the OpenStack-dev mailing list