Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1511759 - callback_plugins/validation_output.py doesn't sanitize input
Summary: callback_plugins/validation_output.py doesn't sanitize input
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-validations
Version: 12.0 (Pike)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: beta
: 14.0 (Rocky)
Assignee: RHOS Maint
QA Contact: grozov
URL:
Whiteboard:
Depends On: 1511757
Blocks: 1511758
TreeView+ depends on / blocked
 
Reported: 2017-11-10 03:37 UTC by Summer Long
Modified: 2019-01-11 11:49 UTC (History)
10 users (show)

Fixed In Version: openstack-tripleo-validations-9.1.1-0.20180706135914.d21e7fa.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1511757
Environment:
Last Closed: 2019-01-11 11:48:21 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2019:0045 None None None 2019-01-11 11:49:03 UTC
OpenStack gerrit 532531 None None None 2018-01-10 13:40:22 UTC

Description Summer Long 2017-11-10 03:37:06 UTC
+++ This bug was initially created as a clone of Bug #1511757 +++

Description of problem:
Callback plugins should use the CallbackBase._dump_results() method for no_log to take effect (and not just use raw results).  

However, there are two lines in: 
/usr/share/openstack-tripleo-validations/validations/callback_plugins/validation_output.py
which use raw results, and which could be an issue if those results are expected to hold secrets.

def v2_runner_on_ok
        results = result._result  # A dict of the module name etc.
def v2_runner_on_failed
        result_dict = result._result  # A dict of the module name etc.

Unless results in these two lines are expected to hold secrets, this should just be a hardening bug.

Version-Release number of selected component (if applicable):
openstack-tripleo-validations-7.4.1-2.el7ost

Expected results:
Should do something like: self._dump_results(result._result)

Comment 5 grozov 2018-11-11 08:17:05 UTC
What exactly is the fix? What am i supposed to test?

Comment 6 Ana Krivokapic 2018-11-12 09:15:26 UTC
This is a security hardening bug (see original bug report); there are no user-visible changes to test.

Comment 7 Udi 2018-11-15 08:12:28 UTC
Verified the fix is in: openstack-tripleo-validations-9.3.1-0.20181008110747.4064fb7.el7ost.noarch

Comment 10 errata-xmlrpc 2019-01-11 11:48:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:0045


Note You need to log in before you can comment on or make changes to this bug.