From d1872d7fcff646d8bdda876ba85bdff6f67f91cd Mon Sep 17 00:00:00 2001 From: Steve Baker Date: Fri, 22 Nov 2024 14:25:39 +1300 Subject: [PATCH] Calculate missing checksum for file:// based images The fix for CVE-2024-47211 results in image checksum being required in all cases. However there is no requirement for checksums in file:// based images. This change checks for this situation. When checksum is missing for file:// based image_source it is now calculated on-the-fly. Change-Id: Ib2fd5ddcbee9a9d1c7e32770ec3d9b6cb20a2e2a (cherry picked from commit b827c7bf72b02f88d8d899568bac1d2b07c371ab) --- ironic/common/checksum_utils.py | 15 +++++++++++++-- ironic/tests/unit/common/test_checksum_utils.py | 13 +++++++++++++ .../missing_file_checksum-4931c98031951486.yaml | 7 +++++++ 3 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/missing_file_checksum-4931c98031951486.yaml diff --git a/ironic/common/checksum_utils.py b/ironic/common/checksum_utils.py index 7d43a1f890..2dddd177b2 100644 --- a/ironic/common/checksum_utils.py +++ b/ironic/common/checksum_utils.py @@ -156,8 +156,19 @@ def get_checksum_and_algo(instance_info): checksum_algo = instance_info.get('image_os_hash_algo') else: checksum = instance_info.get('image_checksum') - if is_checksum_url(checksum): - image_source = instance_info.get('image_source') + image_source = instance_info.get('image_source') + + # NOTE(stevebaker): file:// images have no requirement to supply + # checksums but they are now mandatory for validation as part + # of the fix for CVE-2024-47211. + # The only practical option is to calculate it here. + if checksum is None and image_source.startswith('file:'): + checksum_algo = "sha256" + image_path = urlparse.urlparse(image_source).path + checksum = fileutils.compute_file_checksum( + image_path, algorithm=checksum_algo) + + elif is_checksum_url(checksum): checksum = get_checksum_from_url(checksum, image_source) # NOTE(TheJulia): This is all based on SHA-2 lengths. diff --git a/ironic/tests/unit/common/test_checksum_utils.py b/ironic/tests/unit/common/test_checksum_utils.py index 5c0964dc94..a7e833401d 100644 --- a/ironic/tests/unit/common/test_checksum_utils.py +++ b/ironic/tests/unit/common/test_checksum_utils.py @@ -17,6 +17,7 @@ from unittest import mock from oslo_config import cfg +from oslo_utils import fileutils from ironic.common import checksum_utils from ironic.common import exception @@ -149,6 +150,18 @@ class IronicChecksumUtilsTestCase(base.TestCase): self.assertEqual('f' * 128, csum) self.assertEqual('sha512', algo) + @mock.patch.object(fileutils, 'compute_file_checksum', autospec=True) + def test_get_checksum_and_algo_no_checksum_file_url(self, mock_cfc): + i_info = { + 'image_source': 'file:///var/lib/ironic/images/foo.raw' + } + mock_cfc.return_value = 'f' * 64 + csum, algo = checksum_utils.get_checksum_and_algo(i_info) + mock_cfc.assert_called_once_with('/var/lib/ironic/images/foo.raw', + algorithm='sha256') + self.assertEqual('f' * 64, csum) + self.assertEqual('sha256', algo) + @mock.patch.object(image_service.HttpImageService, 'get', autospec=True) diff --git a/releasenotes/notes/missing_file_checksum-4931c98031951486.yaml b/releasenotes/notes/missing_file_checksum-4931c98031951486.yaml new file mode 100644 index 0000000000..da2fab7b8a --- /dev/null +++ b/releasenotes/notes/missing_file_checksum-4931c98031951486.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + The fix for CVE-2024-47211 results in image checksum being required in all + cases. However there is no checksum requirement for file:// + based images. When checksum is missing for file:// based image_source it is + now calculated on-the-fly. \ No newline at end of file