author | Drew Fisher <drew.fisher@oracle.com> |
Thu, 23 Mar 2017 08:04:21 -0700 | |
changeset 7801 | 0dc67d04f8bb |
permissions | -rw-r--r-- |
7801
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
1 |
Upstream patch to address CVE-2017-7214. We assume 'circural' below is |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
2 |
a typo for 'circular' but we took the comment verbatim from upstream. |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
3 |
|
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
4 |
From 305cdb38db47258909ef83d5918c7c85ef9d7a5b Mon Sep 17 00:00:00 2001 |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
5 |
From: Balazs Gibizer <[email protected]> |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
6 |
Date: Fri, 17 Mar 2017 11:24:49 +0100 |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
7 |
Subject: [PATCH] do not include context to exception notification |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
8 |
|
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
9 |
The wrap_exception decorator optionally emited a notification. |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
10 |
Based on the code comments the original intention was not to include the |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
11 |
context to that notification due to security reasons. However the |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
12 |
implementation did included the context to the payload of the legacy |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
13 |
notification. |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
14 |
|
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
15 |
Recently we saw circural reference errors during the payload serialization |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
16 |
of this notification. Based on the logs the only complex data structure |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
17 |
that could cause circural reference is the context. So this patch |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
18 |
removes the context from the legacy exception notification. |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
19 |
|
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
20 |
The versioned exception notification is not affected as it does not |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
21 |
contain the args of the decorated function. |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
22 |
|
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
23 |
Conflicts: |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
24 |
nova/exception_wrapper.py |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
25 |
nova/tests/unit/test_exception.py |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
26 |
|
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
27 |
NOTE(mriedem): The conflict is due to some refactor in Newton: |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
28 |
6329d721ef326488d5d660e4f68febf563ed93ab |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
29 |
|
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
30 |
Closes-Bug: #1673375 |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
31 |
Change-Id: I1d217620e52d45595a3e0e49ed57b4ab33cd1688 |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
32 |
(cherry picked from commit 3bf177a59cfd0b4e74dba256c3466ba2ea9bfbf7) |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
33 |
(cherry picked from commit a8a1915456a86f504d23f215867da730d436fe33) |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
34 |
(cherry picked from commit d0ee248bab6727555561c15998c58a0f11a5351b) |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
35 |
--- |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
36 |
nova/exception.py | 4 ++++ |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
37 |
nova/tests/unit/test_exception.py | 1 + |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
38 |
2 files changed, 5 insertions(+) |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
39 |
|
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
40 |
diff --git a/nova/exception.py b/nova/exception.py |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
41 |
index 40b82bf..848b0f0 100644 |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
42 |
--- a/nova/exception.py |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
43 |
+++ b/nova/exception.py |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
44 |
@@ -97,6 +97,10 @@ def wrap_exception(notifier=None, get_notifier=None): |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
45 |
# self can't be serialized and shouldn't be in the |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
46 |
# payload |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
47 |
call_dict.pop('self', None) |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
48 |
+ # NOTE(gibi) remove context as well as it contains |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
49 |
+ # sensitive information and it can also contain |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
50 |
+ # circular references |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
51 |
+ call_dict.pop('context', None) |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
52 |
cleansed = _cleanse_dict(call_dict) |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
53 |
payload.update({'args': cleansed}) |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
54 |
|
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
55 |
diff --git a/nova/tests/unit/test_exception.py b/nova/tests/unit/test_exception.py |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
56 |
index 6a3b2b7..17f61ef 100644 |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
57 |
--- a/nova/tests/unit/test_exception.py |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
58 |
+++ b/nova/tests/unit/test_exception.py |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
59 |
@@ -62,6 +62,7 @@ class WrapExceptionTestCase(test.NoDBTestCase): |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
60 |
self.assertEqual(3, notifier.provided_payload['args']['extra']) |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
61 |
for key in ['exception', 'args']: |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
62 |
self.assertIn(key, notifier.provided_payload.keys()) |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
63 |
+ self.assertNotIn('context', notifier.provided_payload['args'].keys()) |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
64 |
|
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
65 |
|
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
66 |
class NovaExceptionTestCase(test.NoDBTestCase): |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
67 |
-- |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
68 |
1.9.1 |
0dc67d04f8bb
25772305 problem in SERVICE/NOVA
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
69 |