Commit 5ea64814 authored by Christos Stavrakakis's avatar Christos Stavrakakis
Browse files

Fix bug: Detect malformed network subnet

Fix bug in Cyclades network API. API should raise BadRequest if
specified network subnet is invalid. Also, do not allow subnets with
host bits set (like 10.0.0.1/28).
parent 1c25dba4
......@@ -186,9 +186,8 @@ def create_network(serials, request):
if flavor not in settings.API_ENABLED_NETWORK_FLAVORS:
raise Forbidden("Can not create %s network" % flavor)
cidr_block = int(subnet.split('/')[1])
if not util.validate_network_size(cidr_block):
raise OverLimit("Unsupported network size.")
# Check that user provided a valid subnet
util.validate_network_subnet(subnet)
user_id = request.user_uniq
serial = quotas.issue_network_commission(user_id)
......
......@@ -122,6 +122,15 @@ class NetworkAPITest(BaseAPITest):
json.dumps(request), 'json')
self.assertFault(response, 403, "forbidden")
def test_invalid_subnet(self, mrapi):
"""Test invalid subnet"""
request = {
'network': {'name': 'foo', 'cidr': '10.0.0.10/27'}
}
response = self.post('/api/v1.1/networks/', 'user1',
json.dumps(request), 'json')
self.assertBadRequest(response)
def test_list_networks(self, mrapi):
"""Test that expected list of networks is returned."""
# Create a deleted network
......
......@@ -43,6 +43,7 @@ from string import digits, lowercase, uppercase
from time import time
from traceback import format_exc
from wsgiref.handlers import format_date_time
from ipaddr import IPNetwork
import dateutil.parser
......@@ -239,6 +240,18 @@ def get_network(network_id, user_id, for_update=False):
raise ItemNotFound('Network not found.')
def validate_network_subnet(subnet):
try:
# Use strict option to not all subnets with host bits set
network = IPNetwork(subnet, strict=True)
except ValueError:
raise BadRequest("Invalid network subnet")
# Check that network size is allowed!
if not validate_network_size(network.prefixlen):
raise OverLimit("Unsupported network size")
def validate_network_size(cidr_block):
"""Return True if network size is allowed."""
return cidr_block <= 29 and cidr_block > MAX_CIDR_BLOCK
......
......@@ -91,7 +91,7 @@ def validate_network_info(options):
gateway6 = options['gateway6']
try:
net = ipaddr.IPv4Network(subnet)
net = ipaddr.IPv4Network(subnet, strict=True)
prefix = net.prefixlen
if not validate_network_size(prefix):
raise CommandError("Unsupport network mask %d."
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment