Reviewed: https://review.opendev.org/c/openstack/keystone/+/934727
Committed:
https://opendev.org/openstack/keystone/commit/ae4e54148a2b3594c7cb246c50ba956dce52fdc3
Submitter: "Zuul (22348)"
Branch: master
commit ae4e54148a2b3594c7cb246c50ba956dce52fdc3
Author: Tobias Urdin <tobias.ur...@binero.com>
Date: Tue Nov 12 09:51:24 2024 +0100
Unify response code for EC2_S3_Resource
When looking up the credential we dont catch the
CredentialNotFound exception which causes us to
return a 404 Not Found response code to the client
which is fine, but since we dont catch it we also
output the entire exception to stderr.
This changes so that we instead catch the
CredentialNotFound exception and raise a
NotFound exception which retains the behaviour
but does not pollute the logs with long tracebacks.
This also addresses a security concern if the
credential is found but is of the wrong type we
throw an Unauthorized response code but say in
the message that the "EC2 access key is not found",
this could potentially be used for doing a enumeration
attack trying to figure out if a credential exists
or not.
To fix this we change the response code from
Unauthorized to Not Found which makes it impossible
to know which part of the code raised the error
from the outside.
Closes-Bug: #2077541
Change-Id: I0ffeaf032ccdfcd99da27719cf90451a5855af81
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2077541
Title:
CredentialNotFound not caught and enumerating credentials using the
EC2_S3_Resource
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
I'm reporting this a security related bug just in case, if it's
unsuitable for that just let me know and I'll push the patch directly
upstream.
Below is from commit msg:
When looking up the credential we dont catch the
CredentialNotFound exception which causes us to
return a 404 Not Found response code to the client
which is fine, but since we dont catch it we also
output the entire exception to stderr.
This changes so that we instead catch the
CredentialNotFound exception and raise a
NotFound exception which retains the behaviour
but does not pollute the logs with long tracebacks.
This also addresses a security concern if the
credential is found but is of the wrong type we
throw an Unauthorized response code but say in
the message that the "EC2 access key is not found",
this could potentially be used for doing a enumeration
attack trying to figure out if a credential exists
or not.
To fix this we change the response code from
Unauthorized to Not Found which makes it impossible
to know which part of the code raised the error
from the outside.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2077541/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
