Add "stores" to disallowed properties

Stores is image property which API uses to indicate which
stores (store IDs) contains the image. This also can be
set by user making it very confusing and potentially
catastrophic breaking for consumers.

This patch prevents that to happen.

Depends-on: https://review.opendev.org/#/c/744024/
Change-Id: I4eca092bd0a7cce1d6bbbd30685f4643cb4e7d1c
Closes-Bug: #1889676

glance/api/v2/images.py

@@ -729,7 +729,7 @@ class ImagesController(object):
 
 class RequestDeserializer(wsgi.JSONRequestDeserializer):
 
-    _disallowed_properties = ('direct_url', 'self', 'file', 'schema')
+    _disallowed_properties = ('direct_url', 'self', 'file', 'schema', 'stores')
     _readonly_properties = ('created_at', 'updated_at', 'status', 'checksum',
                             'size', 'virtual_size', 'direct_url', 'self',
                             'file', 'schema', 'id', 'os_hash_algo',

glance/tests/unit/v2/test_images_resource.py

@@ -4361,6 +4361,13 @@ class TestImagesDeserializerNoAdditionalProperties(test_utils.BaseTestCase):
         self.assertRaises(webob.exc.HTTPBadRequest,
                           self.deserializer.create, request)
 
+    def test_neg_create_with_stores(self):
+        self.config(allow_additional_image_properties=True)
+        request = unit_test_utils.get_fake_request()
+        request.body = jsonutils.dump_as_bytes({'stores': 'test'})
+        self.assertRaises(webob.exc.HTTPForbidden,
+                          self.deserializer.create, request)
+
     def test_update(self):
         request = unit_test_utils.get_fake_request()
         request.content_type = 'application/openstack-images-v2.1-json-patch'

releasenotes/notes/fix_1889676-f8d302fd240c8a57.yaml

@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Bug 1889676_: "stores" can be set as property breaking multistore indication of stores where the images are present
+
+    .. _1889676: https://bugs.launchpad.net/glance/+bug/1889676