[openstack-dev] [Nova][Horizon] Is there precedent for validating user input on data types to APIs?

Sean Dague sean at dague.net
Mon Jul 15 11:51:44 UTC 2013

This looks like a good place to add a test to tempest to tickle the same 
behavior that horizon is driving.

I expect this is another issue where we are expecting MySQL type 
coersion for the db, and something that will be exposed on the 
Postgresql Tempest run upstream. We have a standard pattern of fixing 
those in nova once we've got a test to demonstrate it.

Longer term we really need to be doing more front side validation, 
perhaps the new v3 framework will let us get there more easily.


On 07/14/2013 11:27 PM, Gabriel Hurley wrote:
> I responded on the ticket as well, but here’s my take:
> An error like this should absolutely be caught before it raises a
> database error. A useful, human-friendly error message should be
> returned via the API. Any uncaught exception is a bug. On the other side
> of the equation, anything using the API (such as Horizon) should do its
> best to pre-validate the input, but if invalid input **is** sent it
> should be handled well. The best way to let Horizon devs know what the
> problem is is for the API to return an intelligent failure.
> All the best,
> -Gabriel
> *From:*Dirk Müller [mailto:dirk at dmllr.de]
> *Sent:* Sunday, July 14, 2013 5:20 PM
> *To:* OpenStack Development Mailing List
> *Subject:* Re: [openstack-dev] [Nova][Horizon] Is there precedent for
> validating user input on data types to APIs?
> Hi Matt,
> Given that the Nova API is public, this needs to be validated in the
> API, otherwise the security guys are unhappy.
> Of course the API shouldn't get bad data in the first place. That's a
> bug in nova client. I have sent reviews for both code fixes but I've not
> seen any serious reaction or approval on those for two weeks. Eventually
> somebody is going to look at it, I guess.
> Greetings,
> Dirk
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Sean Dague

More information about the OpenStack-dev mailing list