Sanitizes authentication methods received in requests.
When a user authenticates against Identity V3 API, he can specify
multiple authentication methods. This patch removes duplicates, which
could have been used to achieve DoS attacks.
Closes-Bug: 1300274
(cherry picked from commit ef868ad92c
)
Cherry-pick from https://review.openstack.org/#/c/84425/
Change-Id: I6e60324309baa094a5e54b012fb0fc528fea72ab
This commit is contained in:
parent
a96d1a44bc
commit
e364ba5b12
|
@ -225,7 +225,13 @@ class AuthInfo(object):
|
|||
:returns: list of auth method names
|
||||
|
||||
"""
|
||||
return self.auth['identity']['methods'] or []
|
||||
# Sanitizes methods received in request's body
|
||||
# Filters out duplicates, while keeping elements' order.
|
||||
method_names = []
|
||||
for method in self.auth['identity']['methods']:
|
||||
if method not in method_names:
|
||||
method_names.append(method)
|
||||
return method_names
|
||||
|
||||
def get_method_data(self, method):
|
||||
"""Get the auth method payload.
|
||||
|
|
|
@ -81,6 +81,18 @@ class TestAuthInfo(test_v3.RestfulTestCase):
|
|||
None,
|
||||
auth_data)
|
||||
|
||||
def test_get_method_names_duplicates(self):
|
||||
auth_data = self.build_authentication_request(
|
||||
token='test',
|
||||
user_id='test',
|
||||
password='test')['auth']
|
||||
auth_data['identity']['methods'] = ['password', 'token',
|
||||
'password', 'password']
|
||||
context = None
|
||||
auth_info = auth.controllers.AuthInfo(context, auth_data)
|
||||
self.assertEqual(auth_info.get_method_names(),
|
||||
['password', 'token'])
|
||||
|
||||
def test_get_method_data_invalid_method(self):
|
||||
auth_data = self.build_authentication_request(
|
||||
user_id='test',
|
||||
|
|
Loading…
Reference in New Issue