Description of problem: A security group with name 'new' causes Neutron to respond with an HTTP code 500 when interrogated by name. ``` $ openstack security group create new +-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2022-03-07T12:08:08Z | | description | new | | id | 5644b12c-7c98-4726-8b6d-3df6d199e7c5 | | name | new | | project_id | df04f3429dae4b8b84a75fea2c9f0a80 | | revision_number | 1 | | rules | created_at='2022-03-07T12:08:08Z', direction='egress', ethertype='IPv4', id='580a3adc-e55a-4c24-be3f-2e5f6dca5f6f', updated_at='2022-03-07T12:08:08Z' | | | created_at='2022-03-07T12:08:08Z', direction='egress', ethertype='IPv6', id='96a1ed6d-f9e0-49ca-804a-08060634a421', updated_at='2022-03-07T12:08:08Z' | | stateful | None | | tags | [] | | updated_at | 2022-03-07T12:08:08Z | +-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+ $ openstack security group show new Error while executing command: HttpException: 500, Request Failed: internal server error while processing your request. $ openstack security group show 5644b12c-7c98-4726-8b6d-3df6d199e7c5 +-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+ | created_at | 2022-03-07T12:08:08Z | | description | new | | id | 5644b12c-7c98-4726-8b6d-3df6d199e7c5 | | name | new | | project_id | df04f3429dae4b8b84a75fea2c9f0a80 | | revision_number | 1 | | rules | created_at='2022-03-07T12:08:08Z', direction='egress', ethertype='IPv4', id='580a3adc-e55a-4c24-be3f-2e5f6dca5f6f', updated_at='2022-03-07T12:08:08Z' | | | created_at='2022-03-07T12:08:08Z', direction='egress', ethertype='IPv6', id='96a1ed6d-f9e0-49ca-804a-08060634a421', updated_at='2022-03-07T12:08:08Z' | | stateful | None | | tags | [] | | updated_at | 2022-03-07T12:08:08Z | +-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+ ``` How reproducible: 100% on my machine Steps to Reproduce: 1. openstack security group create new 2. openstack security group show new Actual results: Error while executing command: HttpException: 500, Request Failed: internal server error while processing your request. Expected results: the same as requesting by ID Additional info: ``` $ openstack security group show new --debug # [...] REQ: curl -g -i --cacert "/var/home/pierre/.config/openstack/standalone-ca.crt" -X GET https://192.168.2.1:13696/v2.0/security-groups/new -H "User-Agent: openstacksdk/0.55.0 keystoneauth1/4.3.1 python-requests/2.27.0 CPython/3.10.2" -H "X-Auth-Token: {SHA256}cc8c7e43c7ad1eca77874f361feda446680ca2eedf437de09a6a100f0098ebf8" Starting new HTTPS connection (1): 192.168.2.1:13696 https://192.168.2.1:13696 "GET /v2.0/security-groups/new HTTP/1.1" 500 150 RESP: [500] Content-Length: 150 Content-Type: application/json Date: Mon, 07 Mar 2022 12:11:25 GMT X-Openstack-Request-Id: req-b87358fb-9a4e-4642-a9ec-ca5e69fa3131 RESP BODY: {"NeutronError": {"type": "HTTPInternalServerError", "message": "Request Failed: internal server error while processing your request.", "detail": ""}} GET call to network for https://192.168.2.1:13696/v2.0/security-groups/new used request id req-b87358fb-9a4e-4642-a9ec-ca5e69fa3131 Error while executing command: HttpException: 500, Request Failed: internal server error while processing your request. Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/openstackclient/network/common.py", line 248, in take_action return self.take_action_network( File "/usr/lib/python3.10/site-packages/openstackclient/network/v2/security_group.py", line 403, in take_action_network obj = client.find_security_group(parsed_args.group, File "/usr/lib/python3.10/site-packages/openstack/network/v2/_proxy.py", line 3242, in find_security_group return self._find(_security_group.SecurityGroup, name_or_id, File "/usr/lib/python3.10/site-packages/openstack/proxy.py", line 369, in _find return resource_type.find(self, name_or_id, File "/usr/lib/python3.10/site-packages/openstack/resource.py", line 1923, in find return match.fetch(session, **params) File "/usr/lib/python3.10/site-packages/openstack/resource.py", line 1461, in fetch self._translate_response(response, **kwargs) File "/usr/lib/python3.10/site-packages/openstack/resource.py", line 1158, in _translate_response exceptions.raise_from_response(response, error_message=error_message) File "/usr/lib/python3.10/site-packages/openstack/exceptions.py", line 236, in raise_from_response raise cls( openstack.exceptions.HttpException: HttpException: 500: Server Error for url: https://192.168.2.1:13696/v2.0/security-groups/new, Request Failed: internal server error while processing your request. During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.10/site-packages/cliff/app.py", line 402, in run_subcommand result = cmd.run(parsed_args) File "/usr/lib/python3.10/site-packages/osc_lib/command/command.py", line 39, in run return super(Command, self).run(parsed_args) File "/usr/lib/python3.10/site-packages/cliff/display.py", line 115, in run column_names, data = self.take_action(parsed_args) File "/usr/lib/python3.10/site-packages/openstackclient/network/common.py", line 257, in take_action raise exceptions.CommandError(msg) osc_lib.exceptions.CommandError: Error while executing command: HttpException: 500, Request Failed: internal server error while processing your request. clean_up ShowSecurityGroup: Error while executing command: HttpException: 500, Request Failed: internal server error while processing your request. END return value: 1 ```
This happens on TripleO standalone, but I have reproduced on a public cloud. On my standalone, here are the corresponding Neutron server logs: ``` 2022-03-07 12:27:50.594 20 ERROR neutron.api.v2.resource [req-04484587-cff0-45e5-8b7d-da6b7cf7d911 1a06fd8e47a34b3f812cbbe936f38d09 d5c2aa2a5049492589e9a322bcd9d172 - default default] new failed: No details.: AttributeError 2022-03-07 12:27:50.594 20 ERROR neutron.api.v2.resource Traceback (most recent call last): 2022-03-07 12:27:50.594 20 ERROR neutron.api.v2.resource File "/usr/lib/python3.6/site-packages/neutron/api/v2/resource.py", line 97, in resource 2022-03-07 12:27:50.594 20 ERROR neutron.api.v2.resource method = getattr(controller, action) 2022-03-07 12:27:50.594 20 ERROR neutron.api.v2.resource File "/usr/lib/python3.6/site-packages/neutron/api/v2/base.py", line 263, in __getattr__ 2022-03-07 12:27:50.594 20 ERROR neutron.api.v2.resource raise AttributeError() 2022-03-07 12:27:50.594 20 ERROR neutron.api.v2.resource AttributeError 2022-03-07 12:27:50.594 20 ERROR neutron.api.v2.resource 2022-03-07 12:27:50.595 20 INFO neutron.wsgi [req-04484587-cff0-45e5-8b7d-da6b7cf7d911 1a06fd8e47a34b3f812cbbe936f38d09 d5c2aa2a5049492589e9a322bcd9d172 - default default] 10.254.1.1 "GET /v2.0/security-groups/new HTTP/1.1" status: 500 len: 344 time: 0.3884084 ```
Marked as security-sensitive until someone more expert than me excludes this to be a remote code execution channel.
On a default RHSOP install who (Admin/User/Anybody) can create security groups? Could this setting further be restricted by policy? There's something specific to the name "new" which is triggering the issue? Presumably it is being interpreted wrong. It does not have to do with being 3 characters long or some other condition? Is the group of users who can query the security groups the same as who can create security groups? Are there other operations which can trigger it (show all security groups or rename to/from "new")? When the 500 error happens is there any other impact to Neutron than the attribute error? If a malicious individual ran that command repeatedly forever, would any services be degraded or fail completely? Would it be detrimental to the logs (using up storage space or a loud/spammy method to hide something more malicious they accomplished)?
Of all these good questions, there is only one I can answer: not all three-letter names trigger the issue. Also, I have not fund any other name triggering the issue so far. For the record, I could use these strings as security group names without issue: "old" "init" "append" "raise" "proxy" "in" "True".
While this flaw does have a security impact, it seems quite minimal. I don't see reason enough to keep this bug private.
(In reply to Nick Tait from comment #5) > While this flaw does have a security impact, it seems quite minimal. I don't > see reason enough to keep this bug private. OK! However I don't think anybody but you can make this report public. Or can I?
Sounds good, making it public now.
It appears that wsgiorg routing args[1] are not parsed properly where the name "new" becomes the action[2]. For example, (Pdb) pp route_args (<routes.util.URLGenerator object at 0x7f9358b86ac0>, {'action': 'new', 'controller': <wsgify at 140270746228240 wrapping <function Resource.<locals>.resource at 0x7f93589020d0>>}) where in a situation where the security group name is "sg1" the route_args look like this (Pdb) pp route_args (<routes.util.URLGenerator object at 0x7f9358b8d5b0>, {'action': 'show', 'controller': <wsgify at 140270746228240 wrapping <function Resource.<locals>.resource at 0x7f93589020d0>>, 'id': 'sg1'}) Side note, `openstack router show new` has the same problem. [1] https://github.com/openstack/neutron/blob/master/neutron/api/v2/resource.py#L55 [2] https://github.com/openstack/neutron/blob/master/neutron/api/v2/resource.py#L65