From e1f0e94b90b162b1cdca5bdd7af3c09a90ca80ac Mon Sep 17 00:00:00 2001
From: Erno Kuvaja <jokke@usr.fi>
Date: Thu, 30 Jul 2020 19:37:53 +0100
Subject: [PATCH] Add "stores" to disallowed properties

Stores is image property which API uses to indicate which
stores (store IDs) contains the image. This also can be
set by user making it very confusing and potentially
catastrophic breaking for consumers.

This patch prevents that to happen.

Depends-on: https://review.opendev.org/#/c/744024/
Change-Id: I4eca092bd0a7cce1d6bbbd30685f4643cb4e7d1c
Closes-Bug: #1889676
---
 glance/api/v2/images.py                              | 2 +-
 glance/tests/unit/v2/test_images_resource.py         | 7 +++++++
 releasenotes/notes/fix_1889676-f8d302fd240c8a57.yaml | 6 ++++++
 3 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/fix_1889676-f8d302fd240c8a57.yaml

diff --git a/glance/api/v2/images.py b/glance/api/v2/images.py
index 9c4e08b870..3058f5ff68 100644
--- a/glance/api/v2/images.py
+++ b/glance/api/v2/images.py
@@ -729,7 +729,7 @@ class ImagesController(object):
 
 class RequestDeserializer(wsgi.JSONRequestDeserializer):
 
-    _disallowed_properties = ('direct_url', 'self', 'file', 'schema')
+    _disallowed_properties = ('direct_url', 'self', 'file', 'schema', 'stores')
     _readonly_properties = ('created_at', 'updated_at', 'status', 'checksum',
                             'size', 'virtual_size', 'direct_url', 'self',
                             'file', 'schema', 'id', 'os_hash_algo',
diff --git a/glance/tests/unit/v2/test_images_resource.py b/glance/tests/unit/v2/test_images_resource.py
index b8a05506e9..375ede8db0 100644
--- a/glance/tests/unit/v2/test_images_resource.py
+++ b/glance/tests/unit/v2/test_images_resource.py
@@ -4361,6 +4361,13 @@ class TestImagesDeserializerNoAdditionalProperties(test_utils.BaseTestCase):
         self.assertRaises(webob.exc.HTTPBadRequest,
                           self.deserializer.create, request)
 
+    def test_neg_create_with_stores(self):
+        self.config(allow_additional_image_properties=True)
+        request = unit_test_utils.get_fake_request()
+        request.body = jsonutils.dump_as_bytes({'stores': 'test'})
+        self.assertRaises(webob.exc.HTTPForbidden,
+                          self.deserializer.create, request)
+
     def test_update(self):
         request = unit_test_utils.get_fake_request()
         request.content_type = 'application/openstack-images-v2.1-json-patch'
diff --git a/releasenotes/notes/fix_1889676-f8d302fd240c8a57.yaml b/releasenotes/notes/fix_1889676-f8d302fd240c8a57.yaml
new file mode 100644
index 0000000000..268b6f23ab
--- /dev/null
+++ b/releasenotes/notes/fix_1889676-f8d302fd240c8a57.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Bug 1889676_: "stores" can be set as property breaking multistore indication of stores where the images are present
+
+    .. _1889676: https://bugs.launchpad.net/glance/+bug/1889676