Public bug reported: Horizon can be made to expose internal data structures from HTTP requests, this a security hazard.
See for example: GET /api/swift/containers/test01s/metadata/nonexistantFile.txt HTTP/1.1 Host: example.com ... Response: HTTP/1.1 404 Not Found Date: Tue, 11 Sep 2018 19:30:11 GMT Server: Apache/2.4.18 (Ubuntu) Content-Length: 98 Vary: Accept-Language,Cookie X-Frame-Options: SAMEORIGIN Content-Language: en Content-Type: application/json "Object HEAD failed: http://123.456.789.012:8080/swift/v1/test01s/nonexistantFile.txt 404 Not Found" --------- Note, the Object Store endpoint configured on the /project/api_access page as "http://example.com:8080/swift/v1";, so exposing the internal url is incorrect. It should return smth like: "Object HEAD failed: http://example.com:8080/swift/v1/test01s/nonexistantFile.txt 404 Not Found" , or just hide url at all To reproduce: 1. Log into Horizon with Firefox 2. Open up Web Developer Tools 3. Navigate to Project -> Object Store -> Containers 4. pick a GET from the Network tab in developer tool that is for /api/swift/containers, copy it as cUrl and append "test01s/metadata/nonexistantFile.txt" onto the end of the URL. Note you need to do this quickly otherwise the auth token will expire. If that happens just refresh page and edit request quickly. 5. Observe url present in response ** Affects: horizon Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1794767 Title: Horizon exposes url in Swift error message Status in OpenStack Dashboard (Horizon): New Bug description: Horizon can be made to expose internal data structures from HTTP requests, this a security hazard. See for example: GET /api/swift/containers/test01s/metadata/nonexistantFile.txt HTTP/1.1 Host: example.com ... Response: HTTP/1.1 404 Not Found Date: Tue, 11 Sep 2018 19:30:11 GMT Server: Apache/2.4.18 (Ubuntu) Content-Length: 98 Vary: Accept-Language,Cookie X-Frame-Options: SAMEORIGIN Content-Language: en Content-Type: application/json "Object HEAD failed: http://123.456.789.012:8080/swift/v1/test01s/nonexistantFile.txt 404 Not Found" --------- Note, the Object Store endpoint configured on the /project/api_access page as "http://example.com:8080/swift/v1";, so exposing the internal url is incorrect. It should return smth like: "Object HEAD failed: http://example.com:8080/swift/v1/test01s/nonexistantFile.txt 404 Not Found" , or just hide url at all To reproduce: 1. Log into Horizon with Firefox 2. Open up Web Developer Tools 3. Navigate to Project -> Object Store -> Containers 4. pick a GET from the Network tab in developer tool that is for /api/swift/containers, copy it as cUrl and append "test01s/metadata/nonexistantFile.txt" onto the end of the URL. Note you need to do this quickly otherwise the auth token will expire. If that happens just refresh page and edit request quickly. 5. Observe url present in response To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1794767/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
