Re: [openstack-dev] [security] [api] Script injection issue

2017-11-19 Thread TommyLike Hu
Based on my understanding. the BASIC LIMITATION in the API here is only a guidance or suggestion from community. It defines the default API behaviour and also configurable. BTW, OpenStack now doesn't have an explicit rule for valid user input (such as name and description), and this is

Re: [openstack-dev] [security] [api] Script injection issue

2017-11-19 Thread Duncan Thomas
But the filtering requirements are going to be different for different front ends, and we can't hope to catch them all. Trying to do any filtering at the cinder/nova API level just provides a false sense of security - horizon and other UI *have* to get their escaping right. If you put incomplete

Re: [openstack-dev] [security] [api] Script injection issue

2017-11-19 Thread TommyLike Hu
Our API service is open to any client or any API consumer. We can not guarantee every frontend has the ability to protect themself from script injections. Although the specific cases would differ, the security issue is the same. If we have to keep asking them to add this support repeatedly, Can we

Re: [openstack-dev] [security] [api] Script injection issue

2017-11-19 Thread TommyLike Hu
The special character is allowed in default, tested in nova's and cinder's master branch. And I guess most of the projects allow those characters as the community doesn't have a explicit red line for this :) Adam Heczko 于2017年11月17日周五 下午8:33写道: > Thanks TommyLike for this

Re: [openstack-dev] [security] [api] Script injection issue

2017-11-17 Thread Jeremy Stanley
On 2017-11-17 15:55:33 + (+), Tristan Cacqueray wrote: [...] > We had similar issues[0][1] in the past where we already draw the line > that it is the client responsibility to filter out API response. > > Thus I agree with Jeremy, perhaps it is not ideal, but at least it > doesn't give a

Re: [openstack-dev] [security] [api] Script injection issue

2017-11-17 Thread Tristan Cacqueray
On November 17, 2017 1:56 pm, Jeremy Stanley wrote: On 2017-11-17 12:47:34 + (+), Luke Hinds wrote: This will need the VMT's attention, so please raise as an issue on launchpad and we can tag it as for the vmt members as a possible OSSA. [...] Ugh, looks like someone split this

Re: [openstack-dev] [security] [api] Script injection issue

2017-11-17 Thread Jeremy Stanley
On 2017-11-17 12:47:34 + (+), Luke Hinds wrote: > This will need the VMT's attention, so please raise as an issue on > launchpad and we can tag it as for the vmt members as a possible OSSA. [...] Ugh, looks like someone split this thread, and I already replied to the original thread. In

Re: [openstack-dev] [security] [api] Script injection issue

2017-11-17 Thread Luke Hinds
This will need the VMT's attention, so please raise as an issue on launchpad and we can tag it as for the vmt members as a possible OSSA. Apologies for top post, replying from phone. On 17 Nov 2017 12:34 pm, "Adam Heczko" wrote: > Thanks TommyLike for this bug report.

Re: [openstack-dev] [security] [api] Script injection issue

2017-11-17 Thread Adam Heczko
Thanks TommyLike for this bug report. Sounds like Stored XSS [1]. Could you please share more details, e.g. branch / release, APIs tested etc.? [1] https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting On Fri, Nov 17, 2017 at 12:36 PM, Davanum Srinivas wrote: >

Re: [openstack-dev] [security] [api] Script injection issue

2017-11-17 Thread Davanum Srinivas
Adding [api] to make sure the API (SIG?) sees this too On Fri, Nov 17, 2017 at 3:22 AM, TommyLike Hu wrote: > Hey all, > Recently when we integrating and testing OpenStack services. We found > there is a potential script injection issue that some of our services