[Openstack-security] [Bug 1490693] Re: session fails to sanitize response body of passwords
OpenStack Infra
1490693 at bugs.launchpad.net
Thu Oct 15 22:36:10 UTC 2015
Reviewed: https://review.openstack.org/233111
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=ec70eb02f8a5889828cde786694283240f64c5c4
Submitter: Jenkins
Branch: stable/kilo
commit ec70eb02f8a5889828cde786694283240f64c5c4
Author: Matt Riedemann <mriedem at us.ibm.com>
Date: Mon Aug 31 12:32:25 2015 -0700
Mask passwords when logging the HTTP response
We should sanitize the response body before logging to make sure we
aren't leaking through credentials like in the case of the response from
the os-initialize_connection volume API.
Closes-Bug: #1490693
NOTE(mriedem): The test is slightly different in kilo because the
_http_log_response method requires kwargs.
Change-Id: Ifd95d3fb624b4636fb72cc11762af62e00a026a0
(cherry picked from commit 3e26ff824801d5084791a52980021784e794e35f)
** Tags added: in-stable-kilo
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1490693
Title:
session fails to sanitize response body of passwords
Status in python-keystoneclient:
Fix Released
Bug description:
Seeing this in the n-cpu logs when nova calls the os-
initialize_connection API via python-cinderclient and cinder returns a
response body with credentials in it:
http://logs.openstack.org/66/218666/1/check/gate-tempest-dsvm-
full/3ac1f2b/logs/screen-n-cpu.txt.gz#_2015-08-30_16_33_09_578
keystoneclient.session is logging the response body without sanitizing
it first.
2015-08-30 16:33:09.578 DEBUG keystoneclient.session [req-ff63c358-41b0-4aac-8d8c-e369d82a0d5e tempest-TestMinimumBasicScenario-472140388 tempest-TestMinimumBasicScenario-192291337] REQ: curl -g -i -X POST http://127.0.0.1:8776/v2/8a98625b8c5445afbc72496ce2f7ab7f/volumes/744d2085-8e78-40a5-8659-ef3cffb2480e/action -H "User-Agent: python-cinderclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}fbdcb6c88ebb8ec83181b62e338a1a4b909f7031" -d '{"os-initialize_connection": {"connector": {"initiator": "iqn.1993-08.org.debian:01:f991bccc0", "ip": "172.99.69.228", "platform": "x86_64", "host": "devstack-trusty-rax-iad-4640004", "os_type": "linux2", "multipath": false}}}' _http_log_request /usr/local/lib/python2.7/dist-packages/keystoneclient/session.py:195
2015-08-30 16:33:10.674 DEBUG keystoneclient.session [req-ff63c358-41b0-4aac-8d8c-e369d82a0d5e tempest-TestMinimumBasicScenario-472140388 tempest-TestMinimumBasicScenario-192291337] RESP: [200] content-length: 447 x-compute-request-id: req-747a68eb-f62e-4a43-aa8a-ff332c92783d connection: keep-alive date: Sun, 30 Aug 2015 16:33:10 GMT content-type: application/json x-openstack-request-id: req-747a68eb-f62e-4a43-aa8a-ff332c92783d
RESP BODY: {"connection_info": {"driver_volume_type": "iscsi", "data": {"auth_password": "FF5vCvAvks8iQ2Vx", "target_discovered": false, "encrypted": false, "qos_specs": null, "target_iqn": "iqn.2010-10.org.openstack:volume-744d2085-8e78-40a5-8659-ef3cffb2480e", "target_portal": "172.99.69.228:3260", "volume_id": "744d2085-8e78-40a5-8659-ef3cffb2480e", "target_lun": 1, "access_mode": "rw", "auth_username": "82tvLceDnfHjg6jrTwpq", "auth_method": "CHAP"}}}
To manage notifications about this bug go to:
https://bugs.launchpad.net/python-keystoneclient/+bug/1490693/+subscriptions
More information about the Openstack-security
mailing list