Re: [openstack-dev] [Nova][Horizon] Is there precedent for validating user input on data types to APIs?

Mon, 15 Jul 2013 04:56:21 -0700

This looks like a good place to add a test to tempest to tickle the same behavior that horizon is driving.
I expect this is another issue where we are expecting MySQL type coersion for the db, and something that will be exposed on the Postgresql Tempest run upstream. We have a standard pattern of fixing those in nova once we've got a test to demonstrate it. 


Longer term we really need to be doing more front side validation, 
perhaps the new v3 framework will let us get there more easily.


        -Sean

On 07/14/2013 11:27 PM, Gabriel Hurley wrote:

I responded on the ticket as well, but here’s my take:

An error like this should absolutely be caught before it raises a
database error. A useful, human-friendly error message should be
returned via the API. Any uncaught exception is a bug. On the other side
of the equation, anything using the API (such as Horizon) should do its
best to pre-validate the input, but if invalid input **is** sent it
should be handled well. The best way to let Horizon devs know what the
problem is is for the API to return an intelligent failure.

All the best,

-Gabriel

*From:*Dirk Müller [mailto:[email protected]]
*Sent:* Sunday, July 14, 2013 5:20 PM
*To:* OpenStack Development Mailing List
*Subject:* Re: [openstack-dev] [Nova][Horizon] Is there precedent for
validating user input on data types to APIs?

Hi Matt,

Given that the Nova API is public, this needs to be validated in the
API, otherwise the security guys are unhappy.

Of course the API shouldn't get bad data in the first place. That's a
bug in nova client. I have sent reviews for both code fixes but I've not
seen any serious reaction or approval on those for two weeks. Eventually
somebody is going to look at it, I guess.

Greetings,
Dirk



_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




--
Sean Dague
http://dague.net

_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev






















					Reply via email to