GitHub user sudhansu7 opened a pull request: https://github.com/apache/cloudstack/pull/1763
CLOUDSTACK-9594: API "list templates templatefilter=all" reveals all API "list templates templatefilter=all" reveals all templates. Using a "list templates templatefilter=all" API call any domain admin can see all templates of all domains in ACS. Information returned includes the account and domain of the template's owner. The template data shows what that VM is using and any hints from the label. This would give an advantage in what attack vectors to use. The account and domain can possibly be used in brute force attack to guess the password and login information. Test Scenario: created two accounts in different domain. {noformat} mysql> select account_id,username,api_key from user where id in (4,5); +------------+-----------+----------------------------------------------------------------------------------------+ | account_id | username | api_key | +------------+-----------+----------------------------------------------------------------------------------------+ | 4 | sudadmin1 | 3qeSuWadNzUFZ_i6c6zbwafjM3Eo0TWpkHw3En9jNsg5Ditk2N18DnbbL2quBYQ7FsdXQ8rwxbyFlE8vyUTwEg | | 5 | sudadmin | N5uHVOrg1Ek1F1a_5OXTz4WpLG3ewHqcbPUSBjQ-2CTJdxmUe2go0S8fyqH4Np0scYiehYg2KqthZXCWEyKx1A | +------------+-----------+----------------------------------------------------------------------------------------+ 2 rows in set (0.00 sec) mysql> select account_name,domain_id from account where id in (4,5); +--------------+-----------+ | account_name | domain_id | +--------------+-----------+ | sudadmin | 2 | | sudadmin1 | 3 | +--------------+-----------+ 2 rows in set (0.00 sec) {noformat} User sudadmin registered a private template named 'Debian'. http://10.147.59.107:8080/client/api?apikey=N5uHVOrg1Ek1F1a_5OXTz4WpLG3ewHqcbPUSBjQ-2CTJdxmUe2go0S8fyqH4Np0scYiehYg2KqthZXCWEyKx1A&command=listTemplates&templatefilter=self&signature=ODt7zEWCLL20z1FT%2FIkd1molRaM%3D listTemplate with "templatefilter=self", lists the newly registered template. {noformat} <listtemplatesresponse cloud-stack-version="4.8.0"> <count>1</count> <template> <id>51026d32-60ee-4e25-8ffd-3fa3c57fc14c</id> <name>Debian</name> <displaytext>Debian</displaytext> <ispublic>false</ispublic> <created>2016-11-10T17:18:00-0500</created> <isready>true</isready> <passwordenabled>false</passwordenabled> <format>VHD</format> <isfeatured>false</isfeatured> <crossZones>false</crossZones> <ostypeid>38c1fc84-a687-11e6-a8c8-06f654000053</ostypeid> <ostypename>Debian GNU/Linux 7(64-bit)</ostypename> <account>sudadmin</account> <zoneid>25fa5b74-d4c2-4bad-8e3a-ceffcd10985e</zoneid> <zonename>z1</zonename> <status>Download Complete</status> <size>2621440000</size> <templatetype>USER</templatetype> <hypervisor>XenServer</hypervisor> <domain>SUDDOMAIN</domain> <domainid>a350c00d-4048-4876-ae09-74ad4b7bb28c</domainid> <isextractable>false</isextractable> <checksum>e87a6d7291b999c92baa9623c9c3c207</checksum> <details>{hypervisortoolsversion=xenserver61}</details> <sshkeyenabled>false</sshkeyenabled> <isdynamicallyscalable>false</isdynamicallyscalable> </template> </listtemplatesresponse> {noformat} User: sudadmin1 listTemplate with "templatefilter=self" does not list any template. http://10.147.59.107:8080/client/api?apikey=3qeSuWadNzUFZ_i6c6zbwafjM3Eo0TWpkHw3En9jNsg5Ditk2N18DnbbL2quBYQ7FsdXQ8rwxbyFlE8vyUTwEg&command=listTemplates&templatefilter=self&signature=RfKsdg3RxDkqJotbTlHU2RdbdPA%3D {noformat} <listtemplatesresponse cloud-stack-version="4.8.0"/> {noformat} NO TEMPLATES **listTemplate with "templatefilter=all" lists all templates** http://10.147.59.107:8080/client/api?apikey=3qeSuWadNzUFZ_i6c6zbwafjM3Eo0TWpkHw3En9jNsg5Ditk2N18DnbbL2quBYQ7FsdXQ8rwxbyFlE8vyUTwEg&command=listTemplates&templatefilter=all&signature=l5tubfyABT67d1jY702dvtZODbc%3D Result: {noformat} <listtemplatesresponse cloud-stack-version="4.8.0"> <count>3</count> <template> <id>38451a02-a687-11e6-a8c8-06f654000053</id> <name>CentOS 5.6(64-bit) no GUI (XenServer)</name> <displaytext>CentOS 5.6(64-bit) no GUI (XenServer)</displaytext> <ispublic>true</ispublic> .... </template> <template> <id>51026d32-60ee-4e25-8ffd-3fa3c57fc14c</id> <name>Debian</name> <displaytext>Debian</displaytext> <ispublic>false</ispublic> <created>2016-11-10T17:18:00-0500</created> <isready>true</isready> <passwordenabled>false</passwordenabled> <format>VHD</format> <isfeatured>false</isfeatured> <crossZones>false</crossZones> <ostypeid>38c1fc84-a687-11e6-a8c8-06f654000053</ostypeid> <ostypename>Debian GNU/Linux 7(64-bit)</ostypename> **<account>sudadmin</account>** <zoneid>25fa5b74-d4c2-4bad-8e3a-ceffcd10985e</zoneid> <zonename>z1</zonename> <size>2621440000</size> <templatetype>USER</templatetype> <hypervisor>XenServer</hypervisor> <domain>SUDDOMAIN</domain> <domainid>a350c00d-4048-4876-ae09-74ad4b7bb28c</domainid> <isextractable>false</isextractable> <checksum>e87a6d7291b999c92baa9623c9c3c207</checksum> <details>{hypervisortoolsversion=xenserver61}</details> <sshkeyenabled>false</sshkeyenabled> <isdynamicallyscalable>false</isdynamicallyscalable> </template> <template> <id>5f6af7bb-d965-4b9b-ab45-6d455b0d6bbe</id> <name>SystemVM Template (XenServer)</name> <displaytext>SystemVM Template (XenServer)</displaytext> <ispublic>false</ispublic> ..... </template> </listtemplatesresponse> {noformat} **After Fix:** http://10.147.59.107:8080/client/api?apikey=3qeSuWadNzUFZ_i6c6zbwafjM3Eo0TWpkHw3En9jNsg5Ditk2N18DnbbL2quBYQ7FsdXQ8rwxbyFlE8vyUTwEg&command=listTemplates&templatefilter=all&signature=l5tubfyABT67d1jY702dvtZODbc%3D {noformat} <listtemplatesresponse cloud-stack-version="4.8.0"> <count>1</count> <template> <id>38451a02-a687-11e6-a8c8-06f654000053</id> <name>CentOS 5.6(64-bit) no GUI (XenServer)</name> <displaytext>CentOS 5.6(64-bit) no GUI (XenServer)</displaytext> <ispublic>true</ispublic> <created>2016-11-10T09:32:44-0500</created> <isready>true</isready> <passwordenabled>false</passwordenabled> <format>VHD</format> <isfeatured>true</isfeatured> <crossZones>true</crossZones> <ostypeid>38a2bfd6-a687-11e6-a8c8-06f654000053</ostypeid> <ostypename>CentOS 5.6 (64-bit)</ostypename> <account>system</account> <zoneid>25fa5b74-d4c2-4bad-8e3a-ceffcd10985e</zoneid> <zonename>z1</zonename> <size>21474836480</size> <templatetype>BUILTIN</templatetype> <hypervisor>XenServer</hypervisor> <domain>ROOT</domain> <domainid>383e0ea6-a687-11e6-a8c8-06f654000053</domainid> <isextractable>true</isextractable> <checksum>905cec879afd9c9d22ecc8036131a180</checksum> <sshkeyenabled>false</sshkeyenabled> <isdynamicallyscalable>true</isdynamicallyscalable> </template> </listtemplatesresponse> {noformat} Bug has been fixed considering below points 1. templatefilter=all or isofilter=all is applicable only to admin and domain admin. 2. With templatefilter=all or isofilter=all below are the visiblity of templates in system. - admin should be able to see all templates/iso in system. - domain admin should be able to see all public template and templates under its domain tree (including sub domain). - domain admin in a project context should be able to see all public templates and templates registered as project account and templates which are shared(using updateTemplatePermission api) with project account. Also Modified "test/integration/component/test_escalation_listTemplateDomainAdmin.py" This marvin test was written for this scenario but for the second account "templatefilter=all" is not used. You can merge this pull request into a Git repository by running: $ git pull https://github.com/sudhansu7/cloudstack CLOUDSTACK-9594 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/cloudstack/pull/1763.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1763 ---- commit 692a6eaaa2c54ae206d27a055579f948277cc62b Author: Sudhansu <sudhansu.s...@accelerite.com> Date: 2016-11-11T11:50:24Z CLOUDSTACK-9594: API "list templates templatefilter=all" reveals all templates of all domains Bug has been fixed considering below points 1. templatefilter=all or isofilter=all is applicable only to admin and domain admin. 2. With templatefilter=all or isofilter=all below are the visiblity of templates in system. a. admin should be able to see all templates/iso in system. b. domain admin should be able to see all public template and templates under its domain tree (including sub domain). c. domain admin in a project context should be able to see all public templates and templates registered as project account and templates which are shared(using updateTemplatePermission api) with project account. Modified "test/integration/component/test_escalation_listTemplateDomainAdmin.py" This marvin test is written for this scenario but for the second account "templatefilter=all" is not used. ---- --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---