[Openstack-security] [Bug 1414532] Re: asserts used in cache.py
OpenStack Infra
1414532 at bugs.launchpad.net
Thu May 28 20:41:53 UTC 2015
Reviewed: https://review.openstack.org/175043
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=29b282aa2428893bc227a4497b672214dd0412b8
Submitter: Jenkins
Branch: stable/juno
commit 29b282aa2428893bc227a4497b672214dd0412b8
Author: Geetika Batra <geetika791 at gmail.com>
Date: Tue Feb 24 04:32:51 2015 +0530
Replace assert statements with proper control-flow
When python is run with -O assert statements are optimized away.
Replacing them with proper control-flow statements (e.g., if, else,
elif) prevents the matcher from returning an invalid match.
Closes-bug: #1414532
Co-Authored-By: Ian Cordasco <ian.cordasco at rackspace.com>
Change-Id: I60b42d5a5d71602be7adc321406ea87dfcf93f46
(cherry picked from commit 6b92b537822539497bc0194fe753fe218d1c70f1)
** Tags added: in-stable-juno
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1414532
Title:
asserts used in cache.py
Status in OpenStack Image Registry and Delivery Service (Glance):
Fix Released
Status in OpenStack Security Advisories:
Won't Fix
Status in OpenStack Security Notes:
Fix Released
Bug description:
The asserts in the snippet below check at #2 to see if the HTTP method
match the HTTP methods actually specified in the patterns at #1.
/opt/stack/glance/glance/api/middleware/cache.py
PATTERNS = { <--- #1
('v1', 'GET'): re.compile(r'^/v1/images/([^\/]+)$'),
('v1', 'DELETE'): re.compile(r'^/v1/images/([^\/]+)$'),
('v2', 'GET'): re.compile(r'^/v2/images/([^\/]+)/file$'),
('v2', 'DELETE'): re.compile(r'^/v2/images/([^\/]+)$')
}
...
@staticmethod
def _match_request(request):
"""Determine the version of the url and extract the image id
:returns tuple of version and image id if the url is a
cacheable,
otherwise None
"""
for ((version, method), pattern) in PATTERNS.items():
match = pattern.match(request.path_info)
try:
assert request.method == method <--- #2
image_id = match.group(1)
# Ensure the image id we got looks like an image id to
filter
# out a URI like /images/detail. See LP Bug #879136
assert image_id != 'detail'
except (AttributeError, AssertionError):
continue
else:
return (version, method, image_id)
As stated in the Python documentation assert statements will not be evaluated
when the Python code is compiled with optimization flags. This means that these
checks will not be properly executed and one can in that case call a specific
method with a completely different HTTP verb. This can result in security
issues.
For example think of having some filtering in place in front of the glance API
to maybe allow only certain API queries to come from certain IP addresses. For
example: 'the HTTP verb DELETE may only be executed from this IP range'. An
attacker can now specify a completely different HTTP verb such as GET and make
sure he still matches regular expressions at #1 and then bypass the firewall.
It's a bit of a hypothetical scenario but in general one should never ever do
error checking with assert statemetns. This should only be done for things
which can never realistically fail and that is simply not an assumption one can
hold when it comes to untrusted input from the network.
For more information see
https://docs.python.org/2/reference/simple_stmts.html#the-assert-statement and
https://docs.python.org/2/using/cmdline.html#envvar-PYTHONOPTIMIZE
This seems to be related to https://bugs.launchpad.net/cinder/+bug/1199354 but it's not fixed and maybe it should even be a security issue hence why I reported it again and tagged as a security vulnerability. I am not familiar enough with the code base to make that call.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1414532/+subscriptions
More information about the Openstack-security
mailing list