From f5fa74c5c6926eb46403f6b0b5e0bd81a90cf234 Mon Sep 17 00:00:00 2001 From: Andrew Karpow Date: Fri, 8 Apr 2022 18:32:03 +0200 Subject: [PATCH] Force security_group_id uuid validation of sg rules security_groups_db._check_security_group is supposed to check the security_group_id of the _create_security_group_rule payload. When using an integer e.g. 0, as security_group_id, the check succededs because mysql accepts following query: SELECT * FROM securitygroups WHERE id in (0) Forcing validation of security_group_id as uuid fixes the problem Closes-Bug: #1968343 Change-Id: I7c36b09309c1ef66608afacfb281b6f4b06ea5b8 (cherry picked from commit c0bf560fa36aac798ad8783749fa78ddf766bdec) --- neutron/extensions/securitygroup.py | 4 +++- neutron/tests/unit/extensions/test_securitygroup.py | 9 +++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/neutron/extensions/securitygroup.py b/neutron/extensions/securitygroup.py index 65f98c795c2..39e609c5f36 100644 --- a/neutron/extensions/securitygroup.py +++ b/neutron/extensions/securitygroup.py @@ -246,7 +246,9 @@ RESOURCE_ATTRIBUTE_MAP = { 'primary_key': True}, 'security_group_id': {'allow_post': True, 'allow_put': False, 'is_visible': True, 'required_by_policy': True, - 'is_sort_key': True, 'is_filter': True}, + 'is_sort_key': True, 'is_filter': True, + 'validate': { + 'type:string': db_const.UUID_FIELD_SIZE}}, 'remote_group_id': {'allow_post': True, 'allow_put': False, 'default': None, 'is_visible': True, 'is_sort_key': True, 'is_filter': True}, diff --git a/neutron/tests/unit/extensions/test_securitygroup.py b/neutron/tests/unit/extensions/test_securitygroup.py index 0fc434d2de1..33cb029d0be 100644 --- a/neutron/tests/unit/extensions/test_securitygroup.py +++ b/neutron/tests/unit/extensions/test_securitygroup.py @@ -1923,6 +1923,15 @@ class TestSecurityGroups(SecurityGroupDBTestCase): self.deserialize(self.fmt, res) self.assertEqual(webob.exc.HTTPBadRequest.code, res.status_int) + def test_create_security_group_rule_with_non_uuid_security_group_id(self): + security_group_id = 0 + rule = self._build_security_group_rule( + security_group_id, 'ingress', + const.PROTO_NAME_TCP, '22', '22') + res = self._create_security_group_rule(self.fmt, rule) + self.deserialize(self.fmt, res) + self.assertEqual(webob.exc.HTTPBadRequest.code, res.status_int) + def test_create_port_with_non_uuid(self): with self.network() as n: with self.subnet(n):