MANTA-2409: Muskie pagination subject to Moray filter injection

Details

Issue Type:Bug
Priority:3 - Elevated
Status:Resolved
Created at:2014-08-16T01:03:43.000Z
Updated at:2017-11-29T16:47:40.725Z

People

Created by:David Pacheco
Reported by:David Pacheco

Resolution

Fixed: A fix for this issue is checked into the tree and tested.
(Resolution Date: 2017-11-29T16:47:30.498Z)

Fix Versions

2017-12-07 Gold Saucer (Release Date: 2017-12-07)

Related Issues

Related Links

Description

While debugging MANTA-2404, I discovered that Moray inserts the "marker" that's used to paginate directory listings directly into the SQL query. As a result, you can induce errors by doing something like this:

$ env | grep MANTA_
MANTA_USER=dap
MANTA_KEY_ID=56:f3:e1:56:3d:e6:f7:83:a9:ce:19:5d:62:ba:5c:1f
MANTA_URL=https://172.26.5.11
MANTA_TLS_INSECURE=1

$ mls
-rwxr-xr-x 1 dap             0 Aug 15 17:55 a
-rwxr-xr-x 1 dap             0 Aug 15 17:55 b
-rwxr-xr-x 1 dap             0 Aug 15 17:55 b)
-rwxr-xr-x 1 dap             0 Aug 15 17:55 c
drwxr-xr-x 1 dap             0 Apr 08 14:57 cmd
-rwxr-xr-x 1 dap      17062152 Apr 08 14:56 cmd.tgz

$ url=$(msign '/dap/stor?limit=2&marker=b)'); curl -k -i $url
HTTP/1.1 500 Internal Server Error
Connection: close
Content-Type: application/json
Content-Length: 65
Content-MD5: d6SoJabjG5BOFuLYgMFtgQ==
Date: Sat, 16 Aug 2014 00:57:04 GMT
Server: Manta
x-request-id: 3d44c9b0-24e0-11e4-8ccd-35d0cd66ff69
x-response-time: 40
x-server-name: 204ac483-7e7e-4083-9ea2-c9ea22f459fd

{"code":"InternalError","message":"an unexpected error occurred"}

Muskie didn't crash, but here's the end of the log for this request:

[2014-08-16T00:57:04.729Z] DEBUG: muskie/MorayClient/71923 on 204ac483-7e7e-4083-9ea2-c9ea22f459fd: findObjects: entered (req_id=3d44c9b0-24e0-11e4-8ccd-35d0cd66ff69, host=electric-moray.staging.joyent.us, port=2020, fastClient=172.27.5.31-8, bucket=manta)
    filter: (&(owner=bc8cd146-fecb-11e1-bd8a-bb6f54b49808)(dirname=/bc8cd146-fecb-11e1-bd8a-bb6f54b49808/stor)(name>=b)))
    --
    options: {
      "hashkey": "/bc8cd146-fecb-11e1-bd8a-bb6f54b49808/stor",
      "headers": {},
      "limit": 2,
      "noCache": true,
      "no_count": true,
      "req_id": "3d44c9b0-24e0-11e4-8ccd-35d0cd66ff69",
      "sort": {
        "attribute": "name",
        "order": "ASC"
      },
      "sql_only": false
    }
[2014-08-16T00:57:04.733Z] DEBUG: muskie/MorayClient/71923 on 204ac483-7e7e-4083-9ea2-c9ea22f459fd: findObjects: failed (req_id=3d44c9b0-24e0-11e4-8ccd-35d0cd66ff69, host=electric-moray.staging.joyent.us, port=2020, fastClient=172.27.5.31-8)
    InvalidQueryError: (&(owner=bc8cd146-fecb-11e1-bd8a-bb6f54b49808)(dirname=/bc8cd146-fecb-11e1-bd8a-bb6f54b49808/stor)(name>=b))) is an invalid filter; caused by Error: ) is invalid
        at Server._find (/opt/smartdc/moray/lib/objects/find.js:202:21)
        at runRpcHandler (/opt/smartdc/moray/node_modules/fast/lib/server.js:132:16)
        at b (domain.js:183:18)
        at Domain.run (domain.js:123:23)
        at Server.onRpcRequest (/opt/smartdc/moray/node_modules/fast/lib/server.js:131:11)
        at Server.EventEmitter.emit (events.js:106:17)
        at MessageDecoder.onMessage (/opt/smartdc/moray/node_modules/fast/lib/protocol/rpc_decoder.js:51:22)
        at MessageDecoder.EventEmitter.emit (events.js:95:17)
        at MessageDecoder._write (/opt/smartdc/moray/node_modules/fast/lib/protocol/message_decoder.js:121:14)
        at doWrite (/opt/smartdc/moray/node_modules/fast/node_modules/readable-stream/lib/_stream_writable.js:263:12)
        at writeOrBuffer (/opt/smartdc/moray/node_modules/fast/node_modules/readable-stream/lib/_stream_writable.js:250:5)
        at MessageDecoder.Writable.write (/opt/smartdc/moray/node_modules/fast/node_modules/readable-stream/lib/_stream_writable.js:197:11)
[2014-08-16T00:57:04.735Z]  INFO: muskie/HttpServer/71923 on 204ac483-7e7e-4083-9ea2-c9ea22f459fd: handled: 500 (audit=true, _audit=true, operation=getstorage, billable_operation=LIST, remoteAddress=172.20.5.6, reqHeaderLength=144, resHeaderLength=252, latency=40, req.owner=bc8cd146-fecb-11e1-bd8a-bb6f54b49808)
    GET /dap/stor?algorithm=RSA-SHA1&expires=1408154224&keyId=%2Fdap%2Fkeys%2F56%3Af3%3Ae1%3A56%3A3d%3Ae6%3Af7%3A83%3Aa9%3Ace%3A19%3A5d%3A62%3Aba%3A5c%3A1f&limit=2&marker=b%29&signature=mniDY7LL9fRO2f8ZbAdMflAByX4DnnyV%2FpwdltSnmKC8mE3Mz%2BrFV5tDMPXUT05IXKUD2P8aYCDGaygV61DAAn5iQhDXm9woG0SXGa8B9ubv5kBtNhLauwAk4oIr64rhNtQ%2FThUylUqKm04%2BBnEE%2F%2FfjXf6nfEKT2P2vxZEilEGdBY6NSReJEgsQRLtwynrtgrVYZ2fOGKMy0epu071O7iHyM1O2rF0tUHbm3m%2BC%2FVUSjRqdGaMxrqigR98mWa8qhsGqlzgklyzwQbRulqYmGhzB1DeAkV%2BQlTQPV292HqRAuI72uMtKH8hNkd7ETQEAxUEjFokUWjsIzxtcZaAEIw%3D%3D HTTP/1.1
    user-agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.5
    host: 172.26.5.11
    accept: */*
    x-forwarded-for: ::ffff:172.20.5.6
    --
    HTTP/1.1 500 Internal Server Error
    connection: close
    content-type: application/json
    content-length: 65
    content-md5: d6SoJabjG5BOFuLYgMFtgQ==
    date: Sat, 16 Aug 2014 00:57:04 GMT
    server: Manta
    x-request-id: 3d44c9b0-24e0-11e4-8ccd-35d0cd66ff69
    x-response-time: 40
    x-server-name: 204ac483-7e7e-4083-9ea2-c9ea22f459fd
    --
    InvalidQueryError: (&(owner=bc8cd146-fecb-11e1-bd8a-bb6f54b49808)(dirname=/bc8cd146-fecb-11e1-bd8a-bb6f54b49808/stor)(name>=b))) is an invalid filter; caused by Error: ) is invalid
        at Server._find (/opt/smartdc/moray/lib/objects/find.js:202:21)
        at runRpcHandler (/opt/smartdc/moray/node_modules/fast/lib/server.js:132:16)
        at b (domain.js:183:18)
        at Domain.run (domain.js:123:23)
        at Server.onRpcRequest (/opt/smartdc/moray/node_modules/fast/lib/server.js:131:11)
        at Server.EventEmitter.emit (events.js:106:17)
        at MessageDecoder.onMessage (/opt/smartdc/moray/node_modules/fast/lib/protocol/rpc_decoder.js:51:22)
        at MessageDecoder.EventEmitter.emit (events.js:95:17)
        at MessageDecoder._write (/opt/smartdc/moray/node_modules/fast/lib/protocol/message_decoder.js:121:14)
        at doWrite (/opt/smartdc/moray/node_modules/fast/node_modules/readable-stream/lib/_stream_writable.js:263:12)
        at writeOrBuffer (/opt/smartdc/moray/node_modules/fast/node_modules/readable-stream/lib/_stream_writable.js:250:5)
        at MessageDecoder.Writable.write (/opt/smartdc/moray/node_modules/fast/node_modules/readable-stream/lib/_stream_writable.js:197:11)
    --
    req.caller: {
      "login": "dap",
      "uuid": "bc8cd146-fecb-11e1-bd8a-bb6f54b49808",
      "groups": [],
      "user": null
    }
    --
    req.timers: {
      "earlySetup": 102,
      "parseDate": 8,
      "parseQueryString": 870,
      "parseAuthorization": 14,
      "checkIfPresigned": 130,
      "enforceSSL": 25,
      "ensureDependencies": 11,
      "_authSetup": 27,
      "preSignedUrl": 2840,
      "parseAuthzScheme": 12,
      "authenticateCaller": 3584,
      "parseHttpAuthToken": 29,
      "loadOwner": 10838,
      "anonymous": 14,
      "getActiveRoles": 164,
      "gatherContext": 56,
      "setup": 481,
      "getMetadata": 7136,
      "storageContext": 15,
      "authorize": 164,
      "ensureEntryExists": 6,
      "assertMetadata": 4,
      "getDirectoryCount": 5611,
      "getDirectory": 6284
    }

I'm not sure what the most destructive thing you can do with this is. You can obviously induce 500s, but since the Moray filter starts with '(&(owner=...))', I don't see how you could actually list objects that aren't yours, or cause anything to crash.

Comments

Comment by Cody Mello
Created at 2017-04-20T17:40:18.000Z

Muskie should use node-moray-filter to build its queries, and then call .toString() once it's built the appropriate filter. The library will then take care of correctly escaping characters and return a valid string to send to Moray.


Comment by Cody Mello
Created at 2017-11-29T16:47:09.540Z

In addition to the testing performed by Kris Shannon, and the ones he added, I have also run the full test suite in emy-7. I also tried testing creating a file name "hello(" and making sure I could list the directory it was in.


Comment by Jira Bot
Created at 2017-11-29T16:47:40.725Z

manta-muskie commit b8572701cb060b262a94ef01e95f9a56bec726fa (branch master, by Kris Shannon)

MANTA-2409 Muskie pagination subject to Moray filter injection
MANTA-2803 Cannot mrmdir or mls in manta folder with parentheses in name
Reviewed by: Jordan Hendricks <jordan.hendricks@joyent.com>
Reviewed by: Cody Peter Mello <cody.mello@joyent.com>
Approved by: Cody Peter Mello <cody.mello@joyent.com>