[openstack-dev] [Nova][Horizon] Is there precedent for validating user input on data types to APIs?

Gabriel Hurley Gabriel.Hurley at nebula.com
Mon Jul 15 03:27:12 UTC 2013

I responded on the ticket as well, but here’s my take:

An error like this should absolutely be caught before it raises a database error. A useful, human-friendly error message should be returned via the API. Any uncaught exception is a bug. On the other side of the equation, anything using the API (such as Horizon) should do its best to pre-validate the input, but if invalid input *is* sent it should be handled well. The best way to let Horizon devs know what the problem is is for the API to return an intelligent failure.

All the best,

-          Gabriel

From: Dirk Müller [mailto:dirk at dmllr.de]
Sent: Sunday, July 14, 2013 5:20 PM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] [Nova][Horizon] Is there precedent for validating user input on data types to APIs?

Hi Matt,

Given that the Nova API is public, this needs to be validated in the API, otherwise the security guys are unhappy.

Of course the API shouldn't get bad data in the first place. That's a bug in nova client. I have sent reviews for both code fixes but I've not seen any serious reaction or approval on those for two weeks. Eventually somebody is going to look at it, I guess.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130715/f907c19f/attachment.html>

More information about the OpenStack-dev mailing list