Reviewed: https://review.opendev.org/c/openstack/mistral-dashboard/+/800952 Committed: https://opendev.org/openstack/mistral-dashboard/commit/8b876b0b22b365f24af1eb9eae01ad3d22cc1533 Submitter: "Zuul (22348)" Branch: master
commit 8b876b0b22b365f24af1eb9eae01ad3d22cc1533 Author: Takashi Kajinami <tkaji...@redhat.com> Date: Thu Jul 15 23:13:21 2021 +0900 Enforce usage of raw definitions This change ensures that any definitions passed is treated as raw contents. With this change mistral-dashboard no longer tries to load contents based on file path or uri passed in by users, and this prohibits access to any local files or any internal contents accessible without authentication. Depends-on: https://review.opendev.org/800950 Closes-Bug: #1931558 Change-Id: I4de45cadc4e174794d0c2ef82223a9da5cbdcabc ** Changed in: mistral Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1931558 Title: LFI vulnerability in "Create Workbook" Status in OpenStack Dashboard (Horizon): Invalid Status in Mistral: Fix Released Status in OpenStack Security Advisory: Won't Fix Status in python-mistralclient: New Bug description: Hello, I've found a Local File Inclusion (LFI) vulnerability in creating a workbook on OpenStack Dashboard. This vulnerability allows the attacker to read a sensitive file on the server like /etc/password, config file, etc. Tested version: Victoria Horizon 18.6.3 I do not an opportunity to test the other version, but I think those versions also vulnerable. Steps to reproduce: 1. Create a text file datnt78.txt with content: "/etc/passwd" 2. Select Workflow -> Workbooks -> Create Workbook 3. In "Definition Source" select "File" then browse datnt78.txt file then click Validate and got /etc/passwd content. This is the request: http://paste.openstack.org/show/806520/ This is the response: http://paste.openstack.org/show/806521/ Please find the sample file and POC image in the attachment. Thank you, DatNT78 at FTEL CSOC To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1931558/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp