Uploaded image for project: 'Coopr'
  1. Coopr
  2. COOPR-716

Coopr api allows arbitrary, random parameters to be used as keys

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: 0.9.9, Code Name: Ursa Major
    • Fix Version/s: 0.9.10 Code Name: Mensa
    • Component/s: server
    • Labels:
      None
    • Rank:
      1|hzynmv:

      Description

      Api calls that include these should fail. Here is an example of how they do not:
      We use a made up API parameter (iguana), and set it to something arbitrary ("cool"). Not only does the call not fail, it actually returns node usage hours, as if the parameter had not been entered:
      curl -X GET -H 'Coopr-UserID:admin' -H 'Coopr-TenantID:superadmin' -H 'Coopr-ApiKey:admin' http://127.0.0.1:55054/v2/metrics/nodes/usage?iguana=cool
      {"start":1423688318,"end":1423692608,"data":[

      {"time":1423688318,"value":6256}

      ]}

      This should fail.
      This is doubly bad, because if somebody were to misspell the key of a real parameter (e.g. start= spelled starts=), they would likely get the wrong return value (node usage hours would be counted from the very beginning, instead of from the start time parameter value we entered and intended on using).

        Attachments

          Activity

            People

            • Assignee:
              nitin Nitin Motgi
              Reporter:
              dbajot David Bajot
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: