Bug 2061324

Summary:	security group called 'new' causes server error
Product:	Red Hat OpenStack	Reporter:	Pierre Prinetti <pprinett>
Component:	openstack-neutron	Assignee:	Miro Tomaska <mtomaska>
Status:	CLOSED WONTFIX	QA Contact:	Eran Kuris <ekuris>
Severity:	low	Docs Contact:
Priority:	low
Version:	17.1 (Wallaby)	CC:	chrisw, mlavalle, mtomaska, scohen
Target Milestone:	---	Keywords:	Triaged
Target Release:	---	Flags:	ifrangs: needinfo? (mtomaska)
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-07-25 20:44:18 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Pierre Prinetti 2022-03-07 12:12:34 UTC

Description of problem:

A security group with name 'new' causes Neutron to respond with an HTTP code 500 when interrogated by name.

```
$ openstack security group create new
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field           | Value                                                                                                                                                 |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at      | 2022-03-07T12:08:08Z                                                                                                                                  |
| description     | new                                                                                                                                                   |
| id              | 5644b12c-7c98-4726-8b6d-3df6d199e7c5                                                                                                                  |
| name            | new                                                                                                                                                   |
| project_id      | df04f3429dae4b8b84a75fea2c9f0a80                                                                                                                      |
| revision_number | 1                                                                                                                                                     |
| rules           | created_at='2022-03-07T12:08:08Z', direction='egress', ethertype='IPv4', id='580a3adc-e55a-4c24-be3f-2e5f6dca5f6f', updated_at='2022-03-07T12:08:08Z' |
|                 | created_at='2022-03-07T12:08:08Z', direction='egress', ethertype='IPv6', id='96a1ed6d-f9e0-49ca-804a-08060634a421', updated_at='2022-03-07T12:08:08Z' |
| stateful        | None                                                                                                                                                  |
| tags            | []                                                                                                                                                    |
| updated_at      | 2022-03-07T12:08:08Z                                                                                                                                  |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+

$ openstack security group show new
Error while executing command: HttpException: 500, Request Failed: internal server error while processing your request.

$ openstack security group show 5644b12c-7c98-4726-8b6d-3df6d199e7c5
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field           | Value                                                                                                                                                 |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at      | 2022-03-07T12:08:08Z                                                                                                                                  |
| description     | new                                                                                                                                                   |
| id              | 5644b12c-7c98-4726-8b6d-3df6d199e7c5                                                                                                                  |
| name            | new                                                                                                                                                   |
| project_id      | df04f3429dae4b8b84a75fea2c9f0a80                                                                                                                      |
| revision_number | 1                                                                                                                                                     |
| rules           | created_at='2022-03-07T12:08:08Z', direction='egress', ethertype='IPv4', id='580a3adc-e55a-4c24-be3f-2e5f6dca5f6f', updated_at='2022-03-07T12:08:08Z' |
|                 | created_at='2022-03-07T12:08:08Z', direction='egress', ethertype='IPv6', id='96a1ed6d-f9e0-49ca-804a-08060634a421', updated_at='2022-03-07T12:08:08Z' |
| stateful        | None                                                                                                                                                  |
| tags            | []                                                                                                                                                    |
| updated_at      | 2022-03-07T12:08:08Z                                                                                                                                  |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
```

How reproducible: 100% on my machine

Steps to Reproduce:
1. openstack security group create new
2. openstack security group show new

Actual results:
Error while executing command: HttpException: 500, Request Failed: internal server error while processing your request.


Expected results:
the same as requesting by ID

Additional info:

```
$ openstack security group show new --debug

# [...]
REQ: curl -g -i --cacert "/var/home/pierre/.config/openstack/standalone-ca.crt" -X GET https://192.168.2.1:13696/v2.0/security-groups/new -H "User-Agent: openstacksdk/0.55.0 keystoneauth1/4.3.1 python-requests/2.27.0 CPython/3.10.2" -H "X-Auth-Token: {SHA256}cc8c7e43c7ad1eca77874f361feda446680ca2eedf437de09a6a100f0098ebf8"
Starting new HTTPS connection (1): 192.168.2.1:13696
https://192.168.2.1:13696 "GET /v2.0/security-groups/new HTTP/1.1" 500 150
RESP: [500] Content-Length: 150 Content-Type: application/json Date: Mon, 07 Mar 2022 12:11:25 GMT X-Openstack-Request-Id: req-b87358fb-9a4e-4642-a9ec-ca5e69fa3131
RESP BODY: {"NeutronError": {"type": "HTTPInternalServerError", "message": "Request Failed: internal server error while processing your request.", "detail": ""}}
GET call to network for https://192.168.2.1:13696/v2.0/security-groups/new used request id req-b87358fb-9a4e-4642-a9ec-ca5e69fa3131
Error while executing command: HttpException: 500, Request Failed: internal server error while processing your request.
Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/openstackclient/network/common.py", line 248, in take_action
    return self.take_action_network(
  File "/usr/lib/python3.10/site-packages/openstackclient/network/v2/security_group.py", line 403, in take_action_network
    obj = client.find_security_group(parsed_args.group,
  File "/usr/lib/python3.10/site-packages/openstack/network/v2/_proxy.py", line 3242, in find_security_group
    return self._find(_security_group.SecurityGroup, name_or_id,
  File "/usr/lib/python3.10/site-packages/openstack/proxy.py", line 369, in _find
    return resource_type.find(self, name_or_id,
  File "/usr/lib/python3.10/site-packages/openstack/resource.py", line 1923, in find
    return match.fetch(session, **params)
  File "/usr/lib/python3.10/site-packages/openstack/resource.py", line 1461, in fetch
    self._translate_response(response, **kwargs)
  File "/usr/lib/python3.10/site-packages/openstack/resource.py", line 1158, in _translate_response
    exceptions.raise_from_response(response, error_message=error_message)
  File "/usr/lib/python3.10/site-packages/openstack/exceptions.py", line 236, in raise_from_response
    raise cls(
openstack.exceptions.HttpException: HttpException: 500: Server Error for url: https://192.168.2.1:13696/v2.0/security-groups/new, Request Failed: internal server error while processing your request.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/cliff/app.py", line 402, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/lib/python3.10/site-packages/osc_lib/command/command.py", line 39, in run
    return super(Command, self).run(parsed_args)
  File "/usr/lib/python3.10/site-packages/cliff/display.py", line 115, in run
    column_names, data = self.take_action(parsed_args)
  File "/usr/lib/python3.10/site-packages/openstackclient/network/common.py", line 257, in take_action
    raise exceptions.CommandError(msg)
osc_lib.exceptions.CommandError: Error while executing command: HttpException: 500, Request Failed: internal server error while processing your request.
clean_up ShowSecurityGroup: Error while executing command: HttpException: 500, Request Failed: internal server error while processing your request.
END return value: 1
```

Comment 1 Pierre Prinetti 2022-03-07 12:29:34 UTC

This happens on TripleO standalone, but I have reproduced on a public cloud.

On my standalone, here are the corresponding Neutron server logs:

```
2022-03-07 12:27:50.594 20 ERROR neutron.api.v2.resource [req-04484587-cff0-45e5-8b7d-da6b7cf7d911 1a06fd8e47a34b3f812cbbe936f38d09 d5c2aa2a5049492589e9a322bcd9d172 - default default] new failed: No details.: AttributeError
2022-03-07 12:27:50.594 20 ERROR neutron.api.v2.resource Traceback (most recent call last):
2022-03-07 12:27:50.594 20 ERROR neutron.api.v2.resource   File "/usr/lib/python3.6/site-packages/neutron/api/v2/resource.py", line 97, in resource
2022-03-07 12:27:50.594 20 ERROR neutron.api.v2.resource     method = getattr(controller, action)
2022-03-07 12:27:50.594 20 ERROR neutron.api.v2.resource   File "/usr/lib/python3.6/site-packages/neutron/api/v2/base.py", line 263, in __getattr__
2022-03-07 12:27:50.594 20 ERROR neutron.api.v2.resource     raise AttributeError()
2022-03-07 12:27:50.594 20 ERROR neutron.api.v2.resource AttributeError
2022-03-07 12:27:50.594 20 ERROR neutron.api.v2.resource
2022-03-07 12:27:50.595 20 INFO neutron.wsgi [req-04484587-cff0-45e5-8b7d-da6b7cf7d911 1a06fd8e47a34b3f812cbbe936f38d09 d5c2aa2a5049492589e9a322bcd9d172 - default default] 10.254.1.1 "GET /v2.0/security-groups/new HTTP/1.1" status: 500  len: 344 time: 0.3884084
```

Comment 2 Pierre Prinetti 2022-03-07 12:31:38 UTC

Marked as security-sensitive until someone more expert than me excludes this to be a remote code execution channel.

Comment 3 Nick Tait 2022-03-10 19:23:00 UTC

On a default RHSOP install who (Admin/User/Anybody) can create security groups? Could this setting further be restricted by policy?

There's something specific to the name "new" which is triggering the issue? Presumably it is being interpreted wrong. It does not have to do with being 3 characters long or some other condition?

Is the group of users who can query the security groups the same as who can create security groups? Are there other operations which can trigger it (show all security groups or rename to/from "new")? 

When the 500 error happens is there any other impact to Neutron than the attribute error? If a malicious individual ran that command repeatedly forever, would any services be degraded or fail completely? Would it be detrimental to the logs (using up storage space or a loud/spammy method to hide something more malicious they accomplished)?

Comment 4 Pierre Prinetti 2022-04-01 12:16:57 UTC

Of all these good questions, there is only one I can answer: not all three-letter names trigger the issue. Also, I have not fund any other name triggering the issue so far.

For the record, I could use these strings as security group names without issue: "old" "init" "append" "raise" "proxy" "in" "True".

Comment 5 Nick Tait 2022-04-12 22:54:55 UTC

While this flaw does have a security impact, it seems quite minimal. I don't see reason enough to keep this bug private.

Comment 6 Pierre Prinetti 2023-03-24 13:17:06 UTC

(In reply to Nick Tait from comment #5)
> While this flaw does have a security impact, it seems quite minimal. I don't
> see reason enough to keep this bug private.

OK! However I don't think anybody but you can make this report public. Or can I?

Comment 7 Nick Tait 2023-03-29 17:38:35 UTC

Sounds good, making it public now.

Comment 8 Miro Tomaska 2023-04-08 03:38:12 UTC

It appears that wsgiorg routing args[1] are not parsed properly where the name "new" becomes the action[2]. For example,

(Pdb) pp route_args
(<routes.util.URLGenerator object at 0x7f9358b86ac0>,
 {'action': 'new',
  'controller': <wsgify at 140270746228240 wrapping <function Resource.<locals>.resource at 0x7f93589020d0>>})

where in a situation where the security group name is "sg1" the route_args look like this
(Pdb) pp route_args
(<routes.util.URLGenerator object at 0x7f9358b8d5b0>,
 {'action': 'show',
  'controller': <wsgify at 140270746228240 wrapping <function Resource.<locals>.resource at 0x7f93589020d0>>,
  'id': 'sg1'})

Side note, `openstack router show new` has the same problem.

[1] https://github.com/openstack/neutron/blob/master/neutron/api/v2/resource.py#L55
[2] https://github.com/openstack/neutron/blob/master/neutron/api/v2/resource.py#L65