Open Stack

I was looking at the migrations api, and I noticed that the api passes
the request query unchecked to get_migrations, where it ultimately ends
up in a db query. I was curious and spent a couple of hours checking
this morning. There are a few instances of this.

I didn't find any security bugs, however I feel that this extremely bad
practise, and is likely to result in a security bug eventually. For
example, note that os-assisted-volume-snapshots:delete does not validate
delete_info before passing it to volume_snapshot_delete. I looked at
this quite carefully, and I think we are only protected from a host
compromise because:

1. The api requires admin context
2. libvirt's security policy

I could be wrong on that, though, so perhaps somebody else could check?

Passing unvalidated input to a function isn't necessarily bad, for
example if it is only used for filtering, but it should be clearly
marked as such so it isn't used in an unsafe manner. This marking should
follow the data as far as it goes through any number of function calls.
libvirt's _volume_snapshot_delete function is a long way from the
originating api call, and it is not at all obvious that the commit_base
and commit_top arguments to virt_dom.blockCommit() are unvalidated.

Does python have anything like perl's taint mode? If so, it might be
worth investigating its use.

Matt
-- 
Matthew Booth
Red Hat Engineering, Virtualisation Team

Phone: +442070094448 (UK)
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490