Bug #24276
open
mgr/dashboard: Missing input validation on the dashboard backend
Added by Lenz Grimmer almost 6 years ago.
Updated about 3 years ago.
Affected Versions:
Ceph - v13.2.0,
Ceph - v13.2.1,
Ceph - v13.2.2,
Ceph - v13.2.3,
Ceph - v13.2.4,
Ceph - v13.2.5,
Ceph - v13.2.6,
Ceph - v14.0.0,
Ceph - v14.2.0,
Ceph - v14.2.1,
Ceph - v15.0.0
Description
The Ceph mgr dashboard's backend REST API needs to be made more robust by increasing the level of validation that is performed on incoming API requests.
- Assignee deleted (
Lenz Grimmer)
do you have a concrete example, or is this a general issue?
Sebastian Wagner wrote:
do you have a concrete example, or is this a general issue?
I don't have a concrete example. As far as I recall, this is a general issue - I think I created this issue after some discussions about this during a standup meeting...
- Backport deleted (
mimic)
- Affected Versions v13.2.0, v13.2.1, v13.2.2, v13.2.3, v13.2.4, v13.2.5, v13.2.6, v14.0.0, v14.2.0, v14.2.1, v15.0.0 added
Sebastian Wagner wrote:
do you have a concrete example, or is this a general issue?
The frontend prevents users from giving RBD images a name which contains slash or @ characters. This affects creation and editing of RBD images. When I disable this validation in the frontend, just for testing purposes and edit an RBD image to be named `foobar/bar`, the dashboard backend just does that.
Such a name causes an error in the frontend when tried to edit the RBD image.
This is just one example I was able to quickly come up with, but I think that there are much more.
- Project changed from mgr to Dashboard
- Category changed from 132 to General
Also available in: Atom
PDF