Bug #24276
mgr/dashboard: Missing input validation on the dashboard backend
0%
Description
The Ceph mgr dashboard's backend REST API needs to be made more robust by increasing the level of validation that is performed on incoming API requests.
History
#1 Updated by Lenz Grimmer over 5 years ago
- Assignee deleted (
Lenz Grimmer)
#2 Updated by Sebastian Wagner about 5 years ago
do you have a concrete example, or is this a general issue?
#3 Updated by Lenz Grimmer about 5 years ago
Sebastian Wagner wrote:
do you have a concrete example, or is this a general issue?
I don't have a concrete example. As far as I recall, this is a general issue - I think I created this issue after some discussions about this during a standup meeting...
#4 Updated by Lenz Grimmer almost 5 years ago
- Backport deleted (
mimic) - Affected Versions v13.2.0, v13.2.1, v13.2.2, v13.2.3, v13.2.4, v13.2.5, v13.2.6, v14.0.0, v14.2.0, v14.2.1, v15.0.0 added
#5 Updated by Patrick Seidensal over 4 years ago
Sebastian Wagner wrote:
do you have a concrete example, or is this a general issue?
The frontend prevents users from giving RBD images a name which contains slash or @ characters. This affects creation and editing of RBD images. When I disable this validation in the frontend, just for testing purposes and edit an RBD image to be named `foobar/bar`, the dashboard backend just does that.
Such a name causes an error in the frontend when tried to edit the RBD image.
This is just one example I was able to quickly come up with, but I think that there are much more.
#6 Updated by Ernesto Puerta almost 3 years ago
- Project changed from mgr to Dashboard
- Category changed from 132 to General