Bug #24276
openmgr/dashboard: Missing input validation on the dashboard backend
0%
Description
The Ceph mgr dashboard's backend REST API needs to be made more robust by increasing the level of validation that is performed on incoming API requests.
Updated by Sebastian Wagner about 5 years ago
do you have a concrete example, or is this a general issue?
Updated by Lenz Grimmer about 5 years ago
Sebastian Wagner wrote:
do you have a concrete example, or is this a general issue?
I don't have a concrete example. As far as I recall, this is a general issue - I think I created this issue after some discussions about this during a standup meeting...
Updated by Lenz Grimmer almost 5 years ago
- Backport deleted (
mimic) - Affected Versions v13.2.0, v13.2.1, v13.2.2, v13.2.3, v13.2.4, v13.2.5, v13.2.6, v14.0.0, v14.2.0, v14.2.1, v15.0.0 added
Updated by Patrick Seidensal over 4 years ago
Sebastian Wagner wrote:
do you have a concrete example, or is this a general issue?
The frontend prevents users from giving RBD images a name which contains slash or @ characters. This affects creation and editing of RBD images. When I disable this validation in the frontend, just for testing purposes and edit an RBD image to be named `foobar/bar`, the dashboard backend just does that.
Such a name causes an error in the frontend when tried to edit the RBD image.
This is just one example I was able to quickly come up with, but I think that there are much more.
Updated by Ernesto Puerta about 3 years ago
- Project changed from mgr to Dashboard
- Category changed from 132 to General