Merge "Eliminate SQL injection vulnerability in node_cache"
This commit is contained in:
commit
0ac77190e5
|
@ -18,6 +18,7 @@ import contextlib
|
||||||
import copy
|
import copy
|
||||||
import datetime
|
import datetime
|
||||||
import json
|
import json
|
||||||
|
import operator
|
||||||
|
|
||||||
from automaton import exceptions as automaton_errors
|
from automaton import exceptions as automaton_errors
|
||||||
from ironicclient import exceptions
|
from ironicclient import exceptions
|
||||||
|
@ -30,7 +31,6 @@ from oslo_utils import timeutils
|
||||||
from oslo_utils import uuidutils
|
from oslo_utils import uuidutils
|
||||||
import six
|
import six
|
||||||
from sqlalchemy.orm import exc as orm_errors
|
from sqlalchemy.orm import exc as orm_errors
|
||||||
from sqlalchemy import text
|
|
||||||
|
|
||||||
from ironic_inspector.common.i18n import _
|
from ironic_inspector.common.i18n import _
|
||||||
from ironic_inspector.common import ironic as ir_utils
|
from ironic_inspector.common import ironic as ir_utils
|
||||||
|
@ -840,14 +840,11 @@ def find_node(**attributes):
|
||||||
|
|
||||||
LOG.debug('Trying to use %s of value %s for node look up',
|
LOG.debug('Trying to use %s of value %s for node look up',
|
||||||
name, value)
|
name, value)
|
||||||
value_list = []
|
query = db.model_query(db.Attribute.node_uuid)
|
||||||
for v in value:
|
pairs = [(db.Attribute.name == name) &
|
||||||
value_list.append("name='%s' AND value='%s'" % (name, v))
|
(db.Attribute.value == v) for v in value]
|
||||||
stmt = ('select distinct node_uuid from attributes where ' +
|
query = query.filter(six.moves.reduce(operator.or_, pairs))
|
||||||
' OR '.join(value_list))
|
found.update(row.node_uuid for row in query.distinct().all())
|
||||||
rows = (db.model_query(db.Attribute.node_uuid).from_statement(
|
|
||||||
text(stmt)).all())
|
|
||||||
found.update(row.node_uuid for row in rows)
|
|
||||||
|
|
||||||
if not found:
|
if not found:
|
||||||
raise utils.NotFoundInCacheError(_(
|
raise utils.NotFoundInCacheError(_(
|
||||||
|
|
|
@ -315,6 +315,11 @@ class TestNodeCacheFind(test_base.NodeTest):
|
||||||
self.assertRaises(utils.Error, node_cache.find_node,
|
self.assertRaises(utils.Error, node_cache.find_node,
|
||||||
bmc_address='1.2.3.4')
|
bmc_address='1.2.3.4')
|
||||||
|
|
||||||
|
def test_input_filtering(self):
|
||||||
|
self.assertRaises(utils.NotFoundInCacheError,
|
||||||
|
node_cache.find_node,
|
||||||
|
bmc_address="' OR ''='")
|
||||||
|
|
||||||
|
|
||||||
class TestNodeCacheCleanUp(test_base.NodeTest):
|
class TestNodeCacheCleanUp(test_base.NodeTest):
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
Fixes insufficient input filtering when looking up a node by information
|
||||||
|
from the introspection data. It could potentially allow SQL injections
|
||||||
|
via the ``/v1/continue`` API endpoint. See `story 2005678
|
||||||
|
<https://storyboard.openstack.org/#!/story/2005678>`_ for details.
|
Loading…
Reference in New Issue