[openstack-dev] [security] Script injection issue

Jeremy Stanley fungi at yuggoth.org
Fri Nov 17 13:47:50 UTC 2017


On 2017-11-17 08:22:31 +0000 (+0000), TommyLike Hu wrote:
> Recently when we integrating and testing OpenStack services. We
> found there is a potential script injection issue that some of our
> services accept the input with special character [1] [2], for
> instance we can create an instance or a volume with the name of
> '<script>script inside</script>'. One of the possible solutions is
> add HTML encode/decode support in Horizon, but it's not guaranteed
> every OpenStack user is using Horizon. So should we apply more
> strict restriction on user's input?

Just my opinion, but I think its up to frontends to know what
strings are safe to present. Web-based interfaces are not the only
possible place those strings may end up, and if we consider it the
API's responsibility to strip out every possible sequence that might
cause trouble for every kind of frontend or consuming application
then we'll eventually be left accepting only ASCII alphanumerics.

> Also, I found  Google Cloud have a strict and explicit restrction in
> their instance insert API document [3].
[...]

To my knowledge, Google Cloud is proprietary software and can afford
to make decisions tightly coupling the security of their Web
frontend to their APIs. OpenStack can't easily make the same sorts
of assumptions.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171117/bca89ac4/attachment.sig>


More information about the OpenStack-dev mailing list