Merge "Eliminate SQL injection vulnerability in node_cache"

ironic_inspector/node_cache.py

@@ -18,6 +18,7 @@ import contextlib
 import copy
 import datetime
 import json
+import operator
 
 from automaton import exceptions as automaton_errors
 from ironicclient import exceptions
@@ -30,7 +31,6 @@ from oslo_utils import timeutils
 from oslo_utils import uuidutils
 import six
 from sqlalchemy.orm import exc as orm_errors
-from sqlalchemy import text
 
 from ironic_inspector.common.i18n import _
 from ironic_inspector.common import ironic as ir_utils
@@ -840,14 +840,11 @@ def find_node(**attributes):
 
         LOG.debug('Trying to use %s of value %s for node look up',
                   name, value)
-        value_list = []
-        for v in value:
-            value_list.append("name='%s' AND value='%s'" % (name, v))
-        stmt = ('select distinct node_uuid from attributes where ' +
-                ' OR '.join(value_list))
-        rows = (db.model_query(db.Attribute.node_uuid).from_statement(
-            text(stmt)).all())
-        found.update(row.node_uuid for row in rows)
+        query = db.model_query(db.Attribute.node_uuid)
+        pairs = [(db.Attribute.name == name) &
+                 (db.Attribute.value == v) for v in value]
+        query = query.filter(six.moves.reduce(operator.or_, pairs))
+        found.update(row.node_uuid for row in query.distinct().all())
 
     if not found:
         raise utils.NotFoundInCacheError(_(

ironic_inspector/test/unit/test_node_cache.py

@@ -315,6 +315,11 @@ class TestNodeCacheFind(test_base.NodeTest):
         self.assertRaises(utils.Error, node_cache.find_node,
                           bmc_address='1.2.3.4')
 
+    def test_input_filtering(self):
+        self.assertRaises(utils.NotFoundInCacheError,
+                          node_cache.find_node,
+                          bmc_address="' OR ''='")
+
 
 class TestNodeCacheCleanUp(test_base.NodeTest):
     def setUp(self):