8c681f2641
The template validation method in the heat API allows to specify the
template to validate using a URL with the 'template_url' parameter.
By entering invalid http URLs, like 'http://localhost:22' it is
possible to scan ports by evaluating the error message of the request.
For example, the request
curl -H "Content-Type: application/json" -H "X-Auth-Token: <TOKEN>" \
-X POST -d '{"template_url": "http://localhost:22"}' \
http://127.0.0.1:8004/v1/<TENANT_ID>/validate
causes the following error message to be returned to the user:
"Could not retrieve template: Failed to retrieve template:
('Connection aborted.',
BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))"
This could be misused by tenants to gain knowledge about the internal
network the heat API runs in.
To prevent this information leak, this patch alters the error message
to not include such details when the url scheme is not 'file'.
SecurityImpact
Closes-Bug: #1606500
Change-Id: Id1f86f41c1e6c028d889eca7ccbb9cde67631950
(cherry picked from commit
|
||
---|---|---|
bin | ||
contrib | ||
devstack/upgrade | ||
doc | ||
etc/heat | ||
heat | ||
heat_integrationtests | ||
heat_upgradetests | ||
rally-scenarios | ||
releasenotes | ||
tools | ||
.coveragerc | ||
.gitignore | ||
.gitreview | ||
.testr.conf | ||
CONTRIBUTING.rst | ||
HACKING.rst | ||
LICENSE | ||
README.rst | ||
babel.cfg | ||
bandit.yaml | ||
config-generator.conf | ||
install.sh | ||
openstack-common.conf | ||
pylintrc | ||
requirements.txt | ||
setup.cfg | ||
setup.py | ||
test-requirements.txt | ||
tox.ini | ||
uninstall.sh |
README.rst
Heat
Heat is a service to orchestrate multiple composite cloud applications using templates, through both an OpenStack-native REST API and a CloudFormation-compatible Query API.
Why heat? It makes the clouds rise and keeps them there.
Getting Started
If you'd like to run from the master branch, you can clone the git repo:
git clone https://git.openstack.org/openstack/heat
- Wiki: http://wiki.openstack.org/Heat
- Developer docs: http://docs.openstack.org/developer/heat
- Template samples: https://git.openstack.org/cgit/openstack/heat-templates
Python client
https://git.openstack.org/cgit/openstack/python-heatclient
References
- http://docs.amazonwebservices.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html
- http://docs.amazonwebservices.com/AWSCloudFormation/latest/UserGuide/create-stack.html
- http://docs.amazonwebservices.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html
- http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=tosca
We have integration with
- https://git.openstack.org/cgit/openstack/python-novaclient (instance)
- https://git.openstack.org/cgit/openstack/python-keystoneclient (auth)
- https://git.openstack.org/cgit/openstack/python-swiftclient (s3)
- https://git.openstack.org/cgit/openstack/python-neutronclient (networking)
- https://git.openstack.org/cgit/openstack/python-ceilometerclient (metering)
- https://git.openstack.org/cgit/openstack/python-cinderclient (storage service)
- https://git.openstack.org/cgit/openstack/python-glanceclient (image service)
- https://git.openstack.org/cgit/openstack/python-troveclient (database as a Service)
- https://git.openstack.org/cgit/openstack/python-saharaclient (hadoop cluster)
- https://git.openstack.org/cgit/openstack/python-barbicanclient (key management service)
- https://git.openstack.org/cgit/openstack/python-designateclient (DNS service)
- https://git.openstack.org/cgit/openstack/python-magnumclient (container service)
- https://git.openstack.org/cgit/openstack/python-manilaclient (shared file system service)
- https://git.openstack.org/cgit/openstack/python-mistralclient (workflow service)
- https://git.openstack.org/cgit/openstack/python-zaqarclient (messaging service)
- https://git.openstack.org/cgit/openstack/python-monascaclient (monitoring service)