Merge "Eliminate SQL injection vulnerability in node_cache"

2019-05-21 14:35:28 +00:00 · 2019-05-21 14:35:28 +00:00 · 0ac77190e5
parent 1cd7659b52 9d107900b2
commit 0ac77190e5
3 changed files with 18 additions and 9 deletions
--- a/ironic_inspector/node_cache.py
+++ b/ironic_inspector/node_cache.py
@ -18,6 +18,7 @@ import contextlib
 import copy
 import datetime
 import json
+import operator

 from automaton import exceptions as automaton_errors
 from ironicclient import exceptions
@ -30,7 +31,6 @@ from oslo_utils import timeutils
 from oslo_utils import uuidutils
 import six
 from sqlalchemy.orm import exc as orm_errors
-from sqlalchemy import text

 from ironic_inspector.common.i18n import _
 from ironic_inspector.common import ironic as ir_utils
@ -840,14 +840,11 @@ def find_node(**attributes):

        LOG.debug('Trying to use %s of value %s for node look up',
                  name, value)
-        value_list = []
-        for v in value:
-            value_list.append("name='%s' AND value='%s'" % (name, v))
-        stmt = ('select distinct node_uuid from attributes where ' +
-                ' OR '.join(value_list))
-        rows = (db.model_query(db.Attribute.node_uuid).from_statement(
-            text(stmt)).all())
-        found.update(row.node_uuid for row in rows)
+        query = db.model_query(db.Attribute.node_uuid)
+        pairs = [(db.Attribute.name == name) &
+                 (db.Attribute.value == v) for v in value]
+        query = query.filter(six.moves.reduce(operator.or_, pairs))
+        found.update(row.node_uuid for row in query.distinct().all())

    if not found:
        raise utils.NotFoundInCacheError(_(
--- a/ironic_inspector/test/unit/test_node_cache.py
+++ b/ironic_inspector/test/unit/test_node_cache.py
@ -315,6 +315,11 @@ class TestNodeCacheFind(test_base.NodeTest):
        self.assertRaises(utils.Error, node_cache.find_node,
                          bmc_address='1.2.3.4')

+    def test_input_filtering(self):
+        self.assertRaises(utils.NotFoundInCacheError,
+                          node_cache.find_node,
+                          bmc_address="' OR ''='")
+

 class TestNodeCacheCleanUp(test_base.NodeTest):
    def setUp(self):
--- a/releasenotes/notes/find-node-input-filtering-e8ea529252e80739.yaml
+++ b/releasenotes/notes/find-node-input-filtering-e8ea529252e80739.yaml
@ -0,0 +1,7 @@
+---
+security:
+  - |
+    Fixes insufficient input filtering when looking up a node by information
+    from the introspection data. It could potentially allow SQL injections
+    via the ``/v1/continue`` API endpoint. See `story 2005678
+    <https://storyboard.openstack.org/#!/story/2005678>`_ for details.