Go to file

Abhishek Kekane 8c43caaefd Fix SSRF vulnerabilities in image import API

Fixed Server-Side Request Forgery (SSRF) vulnerabilities in Glance's image
import functionality that could allow attackers to bypass URL validation
and access internal resources.

The fix includes:
- IP address validation using Python's ipaddress module to reject encoded
  IP formats (decimal, hexadecimal, octal) that could bypass blacklist checks
- HTTP redirect validation for web-download, glance-download, and OVF
  processing to prevent redirect-based SSRF attacks
- URI validation for OVF processing which previously had no protection

The implementation uses Python's built-in ipaddress module which inherently
rejects all non-standard IP encodings and only accepts standard formats,
providing robust protection against IP encoding bypass attacks.

Depends-On: https://review.opendev.org/c/openstack/tempest/+/981329

Assisted-by: Used Cursor (Auto) for unit tests.

Closes-Bug: #2138602
Closes-Bug: #2138672
Closes-Bug: #2138675
SecurityImpact

Change-Id: Ib8d337dc68411d18c70d5712cc4f0986ef6205f4
Signed-off-by: Abhishek Kekane <[email protected]>

2026-03-19 17:15:26 +00:00

api-ref/source

Update API reference to mention x-openstack-image-size header

2025-08-07 06:05:13 +00:00

doc

Replace obsolete PCRE packages

2026-01-20 23:15:49 +09:00

etc

Enhance schema loading to support required properties

2026-01-07 00:30:32 +09:00

glance

Fix SSRF vulnerabilities in image import API

2026-03-19 17:15:26 +00:00

httpd

setup: Remove pbr's wsgi_scripts

2025-09-17 11:53:27 +01:00

playbooks

Replaced usage outdate egrep to grep

2025-08-01 15:02:11 +00:00

rally-jobs

Update some url links of rally/README.rst

2018-02-27 00:29:38 -08:00

releasenotes

Fix SSRF vulnerabilities in image import API

2026-03-19 17:15:26 +00:00

tools

Replaced usage outdate egrep to grep

2025-08-01 15:02:11 +00:00

.coveragerc

Update .coveragerc after the removal of openstack directory

2016-10-17 17:09:56 +05:30

.gitignore

Move policy defaults into code

2020-01-06 12:56:30 -05:00

.gitreview

OpenDev Migration Patch

2019-04-19 19:45:31 +00:00

.mailmap

Add a mailmap entry for myself

2014-02-11 12:00:44 +08:00

.stestr.conf

Use common environment name for ostestr testpath

2025-02-16 01:05:19 +09:00

.zuul.yaml

Use the correct name for the ironic check job

2026-01-27 11:23:32 +13:00

bindep.txt

Replace obsolete PCRE packages

2026-01-20 23:15:49 +09:00

CONTRIBUTING.rst

Community Goal: Project PTL & Contrib Docs Update

2020-03-11 06:09:47 +00:00

HACKING.rst

Replace own hacking checks by built-on ones

2026-02-05 22:57:00 +09:00

LICENSE

Add a LICENSE file.

2012-01-03 10:14:01 -05:00

pyproject.toml

Remove configurable metadata DB backend entrypoint

2025-09-17 14:14:15 +01:00

README.rst

Drop tag assertion from README

2022-12-05 10:59:14 -08:00

requirements.txt

Remove non-direct dependency

2026-03-08 16:08:09 +09:00

setup.cfg

Migrate setup configuration to pyproject.toml

2025-09-17 14:14:05 +01:00

setup.py

Remove outdated comment in setup.py

2026-01-28 14:09:44 +00:00

test-requirements.txt

Remove sendfile support

2024-05-02 09:20:59 +00:00

tox.ini

Replace own hacking checks by built-on ones

2026-02-05 22:57:00 +09:00

README.rst

OpenStack Glance

Glance is an OpenStack project that provides services and associated libraries to store, browse, share, distribute and manage bootable disk images, other data closely associated with initializing compute resources, and metadata definitions.

Use the following resources to learn more:

API

To learn how to use Glance's API, consult the documentation available online at:

Image Service APIs

Developers

For information on how to contribute to Glance, please see the contents of the CONTRIBUTING.rst in this repository.

Any new code must follow the development guidelines detailed in the HACKING.rst file, and pass all unit tests.

Further developer focused documentation is available at:

Operators

To learn how to deploy and configure OpenStack Glance, consult the documentation available online at:

Openstack Glance

In the unfortunate event that bugs are discovered, they should be reported to the appropriate bug tracker. You can raise bugs here:

Bug Tracker

Release notes

To learn more about Glance's new features, optimizations, and changes between versions, consult the release notes online at:

Release Notes

Other Information

During each design summit, we agree on what the whole community wants to focus on for the upcoming release. You can see image service plans:

Image Service Plans

For more information about the Glance project please see:

Glance Project