Monday, 2015-03-02

*** linuxuser has joined #openstack-security00:06
*** JAHoagie has joined #openstack-security00:54
*** JAHoagie has quit IRC01:03
*** amrith is now known as _amrith_01:41
*** ukbelch has quit IRC01:46
*** ukbelch_ has quit IRC01:46
*** _amrith_ is now known as amrith01:51
*** amrith is now known as _amrith_02:12
*** jhonangel123 has joined #openstack-security02:19
*** ukbelch has joined #openstack-security02:42
*** ukbelch_ has joined #openstack-security02:42
*** ukbelch_ has quit IRC02:46
*** ukbelch has quit IRC02:47
*** _amrith_ is now known as amrith03:01
*** nkinder has joined #openstack-security03:38
*** dave-mccowan has quit IRC03:50
*** jhonangel123 has quit IRC04:03
*** ukbelch_ has joined #openstack-security04:08
*** ukbelch has joined #openstack-security04:08
*** ukbelch_ has quit IRC04:13
*** ukbelch has quit IRC04:13
*** OnlyKnockOnce has joined #openstack-security05:08
*** OnlyKnockOnce has left #openstack-security05:09
*** ukbelch has joined #openstack-security05:57
*** ukbelch_ has joined #openstack-security05:57
*** ukbelch has quit IRC06:01
*** ukbelch_ has quit IRC06:01
*** JAHoagie has joined #openstack-security06:14
*** ukbelch has joined #openstack-security06:58
*** ukbelch_ has joined #openstack-security06:58
*** ukbelch_ has quit IRC07:02
*** ukbelch has quit IRC07:02
*** v4s has quit IRC07:50
*** JAHoagie has quit IRC07:55
*** v4s has joined #openstack-security08:01
*** salv-orlando has joined #openstack-security08:44
*** ukbelch has joined #openstack-security08:46
*** ukbelch_ has joined #openstack-security08:46
*** ukbelch has quit IRC08:51
*** ukbelch_ has quit IRC08:51
*** ukbelch has joined #openstack-security08:53
*** ukbelch_ has joined #openstack-security08:53
*** ukbelch has quit IRC08:55
*** ukbelch_ has quit IRC08:55
*** ukbelch has joined #openstack-security08:58
*** ukbelch_ has joined #openstack-security08:58
*** tkelsey has joined #openstack-security09:05
*** salv-orlando has quit IRC09:13
*** salv-orlando has joined #openstack-security09:14
*** ukbelch_ has quit IRC09:19
*** ukbelch_ has joined #openstack-security09:19
*** ukbelch has quit IRC09:20
*** ukbelch has joined #openstack-security09:20
*** salv-orlando has quit IRC10:11
openstackgerritDave Belcher proposed stackforge/bandit: Refactored AST processing
openstackgerritDave Belcher proposed stackforge/bandit: Refactored AST processing
openstackgerritDave Belcher proposed stackforge/bandit: Refactored AST processing
*** ukbelch has quit IRC10:59
*** ukbelch_ has quit IRC10:59
*** ukbelch has joined #openstack-security11:01
*** ukbelch_ has joined #openstack-security11:01
*** ukbelch has quit IRC11:02
*** ukbelch_ has quit IRC11:05
*** ukbelch has joined #openstack-security11:06
*** ukbelch_ has joined #openstack-security11:06
*** gabriela has joined #openstack-security11:07
*** gabriela has left #openstack-security11:08
*** ukbelch has quit IRC11:15
*** ukbelch_ has quit IRC11:15
*** ukbelch has joined #openstack-security11:15
*** ukbelch_ has joined #openstack-security11:15
*** ukbelch_ has quit IRC11:17
*** ukbelch has quit IRC11:19
*** ukbelch has joined #openstack-security11:20
*** ukbelch has quit IRC11:36
*** v4s has quit IRC12:12
*** v4s has joined #openstack-security12:18
*** dave-mccowan has joined #openstack-security12:21
*** optik_ has joined #openstack-security12:37
*** optik_ has quit IRC12:38
*** markvoelker has joined #openstack-security13:08
*** tmcpeak has joined #openstack-security13:27
*** amrith is now known as _amrith_13:30
*** salv-orlando has joined #openstack-security13:43
*** ukbelch has joined #openstack-security13:45
*** bknudson has quit IRC13:46
*** ukbelch has quit IRC13:47
*** ukbelch has joined #openstack-security13:50
*** ljfisher has joined #openstack-security13:53
*** singlethink has joined #openstack-security13:55
*** bknudson has joined #openstack-security14:10
*** ukbelch has quit IRC14:17
*** nkinder has quit IRC14:19
*** tmcpeak1 has joined #openstack-security14:28
*** tmcpeak has quit IRC14:29
*** tmcpeak1 has quit IRC14:36
*** tmcpeak has joined #openstack-security14:37
*** JAHoagie has joined #openstack-security14:42
*** _amrith_ is now known as amrith14:55
*** singlethink has quit IRC15:01
*** singlethink has joined #openstack-security15:02
*** nkinder has joined #openstack-security15:13
*** tmcpeak has quit IRC15:15
*** JAHoagie has quit IRC15:15
*** tmcpeak has joined #openstack-security15:16
*** voodookid has joined #openstack-security15:39
*** bpokorny has quit IRC15:41
*** salv-orlando has quit IRC15:55
*** salv-orlando has joined #openstack-security15:55
*** bpokorny has joined #openstack-security15:55
*** salv-orlando has quit IRC16:00
*** dave-mccowan has quit IRC16:08
*** JAHoagie has joined #openstack-security16:19
*** dave-mccowan has joined #openstack-security16:28
*** singlethink has quit IRC16:34
*** pdesai has joined #openstack-security16:54
*** singlethink has joined #openstack-security17:00
*** bdpayne has joined #openstack-security17:04
*** singlethink has quit IRC17:04
*** pdesai has quit IRC17:09
*** pdesai has joined #openstack-security17:09
*** singlethink has joined #openstack-security17:16
*** salv-orlando has joined #openstack-security17:16
*** tmcpeak1 has joined #openstack-security17:18
*** tmcpeak has quit IRC17:18
openstackgerritGauvain Pocentek proposed openstack/security-doc: Fixes for grammatical errors
bdpaynenkinder What are your thoughts on  We can't really do 2 +2's and a "core" review b/c it isn't an OpenStack project.  What criteria should we use for accepting it?17:38
bdpaynenkinder Perhaps if you are happy then we should call it good?17:39
nkinderbdpayne: checking...17:39
openstackgerritMerged openstack/security-doc: Adding clarification to Networking's security guide references.
nkinderbdpayne: yeah, we can just waive the "core" requirement since there is not really a project associated with this.17:41
nkinderbdpayne: let me finish reviewing, then I'll +A if it looks good17:42
bdpaynesounds good, thanks!17:42
nkinderbdpayne: Approved.  I'll publish it this afternoon when I get some free time.17:51
bdpaynecool, thanks again17:51
openstackgerritMerged openstack/security-doc: Add text for OSSN-0044
*** sicarie has joined #openstack-security17:57
bdpayneIt's time for the security guide meeting.  Do we have anyone here for that?18:00
bdpaynehi everyone18:01
bdpayneso we can get started18:01
sicarieDoug's skiing (or traveling to/from) so I think he's going to miss this one18:01
bdpaynesilly Doug18:01
bdpaynelike skiing is more interesting than this ;-)18:01
bdpayneon the agenda I have bug triage, open CRs, and that's about all18:02
bdpayneanything else?18:02
elmikonothing from me18:02
sicarienope, that looks good18:02
pdesaii have discussion around the diagrams (images) and checklist18:02
bdpayneok, sounds good18:02
bdpayneso let's start with bug triage18:03
bdpayneI just see one new one18:03
openstackLaunchpad bug 1425762 in openstack-manuals "Database SSL transport config example missing OS service database config" [Undecided,In progress] - Assigned to Shail Bhargava (shabharg)18:03
bdpayneso Shail filed this bug and already has a CR up18:04
elmikosounds like maybe a high prio18:04
bdpayneI think this is valid, but perhaps a low18:04
bdpaynehelps to clarify, but we aren't making a bad recommendation or anything like that18:04
sicarieMy concern is around the use of SSL18:05
elmikoahh, i thought it was missing info that was needed18:05
sicarieThough I haven't looked into this I would imagine TLS is possible18:05
bdpayneoh yeah18:06
bdpayneso I read this as we recommend setting up TLS on the database18:06
bdpaynebut for openstack services to work with that, they will need the cert chain so that it can verify the connection18:06
bdpayneand we didn't talk about providing the cert chain18:06
bdpayneso yeah, we can comment on using TLS instead of SSL here18:07
sicarieYep, definitely looks valid, probably medium?18:07
bdpayneMed/Low... I could do either18:08
sicarieAdditionally, the example above is for PostGRE, this looks mysql specific, it'd be nice to either have a generic pointer, or examples for both (as it looks relatively small) if they're different18:08
bdpayneok, I've added some comments18:10
bdpaynemade it a medium18:10
bdpayneok, I don't see any others that need triage18:10
bdpayneso next step is to review open CRs18:11
bdpayneThis is the "additional ways to configure SSL" one with content from Nathan's blog18:12
bdpayneI think the next step here is to adjust the colors on the images?18:12
bdpaynepdesai can you speak to this?18:12
pdesaiyup, tried to play with inkscpae with Solarize palette but natively it does not have support for that palette18:12
pdesaisame with Open Sans fonts18:13
bdpayneyeah, I think you just need to manually use those colors18:13
bdpaynethe font is something you can add to your system18:13
pdesaiVector paint has support for solarize palette, i am exploring Vector Paint18:14
bdpayneah, ok18:14
bdpaynethat works too18:14
bdpayneso the next one is
pdesaihow about we go with ascii flow otherwise? thoughts?18:14
bdpayneI think this is gtg, just need another review18:14
bdpaynepdesai I can help with the graphics if needed, I'd rather do that than move to ascii18:15
elmikomy preference is for the graphics, but if it becomes too big an issue then ascii as last resort18:15
bdpayne has a merge conflict18:15
elmikoi'll echo bdpayne as well, if you need help i know inkscape pretty well18:15
pdesaiok cool, i will give it a shot tonight and if it doesnt work, i will reach out to bdpayne18:15
bdpaynesicarie If you see Shellee could you ping here on about the merge conflict?18:16
bdpayneshould be straight forward to address18:16
bdpaynenext up is
bdpaynethis is the CR associated with the bug we just triaged18:17
bdpayneit basically just needs reviews at this point18:17
bdpayneI'll look later today18:17
bdpaynefinally we have
*** browne has joined #openstack-security18:17
bdpaynepdesai on this one I guess we have some open formatting questions18:18
bdpayneDo you want to follow up with Anne to see if she has suggestions?18:18
pdesaithis is hug, yup i have made significant progress and will upload new patch18:18
*** tmcpeak1 has quit IRC18:18
pdesaii will follow up with her as well, on how to automate adding checklist in the appendix18:19
bdpayneok cool18:19
pdesaioops typo, hug => huge18:19
bdpayneyeah, I know it would be more work up front, but I think it would pay off pretty quickly in terms of maintenance costs18:19
*** tmcpeak has joined #openstack-security18:19
pdesaiyup, agree, hopefully we can finalize the format before next sync up18:20
bdpayneok cool18:20
bdpayneso that's all that I have then18:20
bdpayneanything else to discuss?18:20
elmikonothing from me18:21
sicariejust ping'd shellee she's going to take a look at the merge conflict today18:21
sicarienothing else from me18:21
bdpaynekk thanks all, I'll see you next week!18:21
pdesaithanks everyone18:21
elmikothanks bdpayne !18:21
*** tmcpeak has quit IRC18:22
*** sicarie_ has joined #openstack-security18:25
*** sicarie has quit IRC18:26
*** sicarie_ has left #openstack-security18:26
openstackgerritDave Belcher proposed stackforge/bandit: Refactored AST processing
*** sicarie has joined #openstack-security18:31
openstackgerritMerged openstack/security-doc: Fixes for grammatical errors
*** ukbelch has joined #openstack-security18:49
openstackgerritDave Belcher proposed stackforge/bandit: Refactored AST processing
*** ukbelch has quit IRC19:13
*** shakamunyi has joined #openstack-security19:20
*** ukbelch has joined #openstack-security19:33
*** tkelsey has quit IRC19:33
*** tmcpeak has joined #openstack-security19:34
*** ukbelch has quit IRC19:35
*** sicarie has quit IRC19:40
openstackgerritRob Fletcher proposed stackforge/bandit: Add mako templating plugin and XSS profile
*** pdesai has quit IRC20:20
*** fletcher has joined #openstack-security20:32
fletchertmcpeak, chair6, ljfisher and tkelsey - so I've done some digging on the false negative related to
fletcherIf you guys don't mind to go read the comment I've left and respond if you think you might know what's up20:33
fletcherthe false negative appears to becoming from one of the utils functions not calucatling qualname list correctly20:33
ljfisherI think I see the bug20:37
ljfisherI think get_call_name returns just the base name and not the qualified name20:39
ljfisherwas thinking there was a separate func for call qualname but don’t see it20:41
fletcheryah, neither do i20:41
fletcherduring my debugging, i added some ast.walk stuff for the Attribute case, and the info is definitely all there20:42
fletcherdo you know of an easy fix?20:42
ljfisherah, I see.20:42
fletcher<_ast.Attribute object at 0x108cf34d0> <_ast.Attribute object at 0x108cf34d0> id: None name: None <_ast.Name object at 0x108cf35d0> id: mako name: None <_ast.Load object at 0x1089ee190> id: None name: None <_ast.Load object at 0x1089ee190> id: None name: None Template ['Template'] Template20:42
fletcherahhhhhh, well that pasted horribly20:42
ljfisheris template an object?20:43
fletcherthat's what input file looks like20:43
ljfisherso we can’t get that20:43
fletcherIs that a question or statement?20:44
fletcherInteresting, why not?20:44
ljfisherso mako.template returns an object, correct?20:44
fletcherbased on my first pastebin, the info is there20:44
fletcherSo if I do type(mako.template)20:46
fletcherit returns20:46
fletcherAttributeError: 'module' object has no attribute 'template'20:46
ljfisheras snipplet of the ast tree would be useful20:46
fletcherhere ya go20:47
fletchermaybe not exactly what you're looking for, but that's my debug output so far20:48
ljfisherwhen you run with -d you get dumps of the ast tree I think20:48
fletcheralso, thank for the help! :)20:51
*** pdesai has joined #openstack-security20:52
ljfisherok, I think I see. So attributes are for access members of an object.20:54
ljfisherThat object can be static or dynamic.20:55
fletcheruhhhh, sure! lol ;)20:56
ljfisherIn this case is <package>.<module>.<class> and everything is static but we don’t know that20:56
ljfisherwe have three levels in this case mako,template.Template20:56
ljfisherOpenStack code never does that so I missed it20:56
ljfisheror at least the code I’ve looked at20:57
ljfisherit seems to do ‘from make.template import Template’20:57
ljfishermore often20:57
fletcherah ok, so it sounds like you've got your head around a fix?20:57
fletcheryah, completely agree on the typical usecase20:57
ljfisherso we can resolve mako.template.Template20:58
fletcheri actually added a bunch of weird imports to see if something like this does happen20:58
ljfisherusing import_aliases20:58
ljfisherthat’s good20:58
ljfisherusing just the information in the file we can’t tell if mako.template is an object, class, module20:58
ljfisherwe could just take what we see in the file and sometimes it will work.21:00
fletcherSo i'm a bit confused, doesn't the utils function have all the info necessary?21:00
fletcherjust a matter of construct qualname_list differently?21:00
ljfisherYeah. I was trying to be correct instead of making it work in most cases.21:01
ljfisherwe could have call21:01
ljfisherwhere foo is an instance of Bar21:02
ljfisherwe can’t write a test to detect all calls to Bar.method because we can’t tell foo is an instance of bar21:02
ljfisherbut times like this mako case nothering in that function name is a variable21:03
ljfisherSo I wanted calls to to resolve to Bar.method, but we can’t do that. It is probably safe to have resolve to even though that doesn’t tell you what is being called.  Sometime we will call package.module.class and it will tell us enough to write a test.21:06
*** shakamunyi has quit IRC21:07
*** shakamunyi has joined #openstack-security21:08
ljfisherYou are correct it is easy to see mako.template.Template. But hard to know to know what function that actually refers to without more information. But for writing tests it really doesn’t matter.21:08
ljfisherthat make sense at all?21:09
fletchersorry, back. catching up21:14
fletcherYah, I *think* that makes sense to me21:16
fletcherSo do you think that's a change you can make pretty easily? Or do you want me to attempt to? :)21:17
tmcpeakreading this21:19
ljfisherSo I think what needs to happen is recursive dept-first traversal of  Call.func to build up the attribute names. At each level we have to check the import_aliases table to see if an alias exists for the name and subtitute it if it does.21:23
tmcpeakfletcher, ljfisher: ok - I think bug makes sense (at least from a cursory level)21:23
tmcpeakthat sounds like a pain in the ass21:23
ljfishereh, I think about 10-15 lines :)21:24
tmcpeakdo I hear a volunteer? :)21:24
ljfisheryeah, I’ll take a look. It really is my bug21:24
fletcherboom, nice21:24
tmcpeaksweet :)21:24
tmcpeakgood catch with the extra testing @fletcher21:24
fletcherI'll be interested to see if this causes tests to fail, once it's fixed21:24
fletchercan't imagine it will21:24
ljfisherI punted on this case not thinking that all the components could be static21:24
*** amrith is now known as _amrith_21:25
tmcpeaksure, well before that it was extremely primitive.  Good to see this moving towards comprehensiveness21:25
tmcpeakor whatever the word is21:25
*** dave-mccowan has quit IRC21:47
*** shakamunyi_ has joined #openstack-security21:53
*** shakamunyi has quit IRC21:54
*** nkinder has quit IRC22:01
*** mihero has quit IRC22:03
*** dave-mccowan has joined #openstack-security22:04
*** ukbelch has joined #openstack-security22:08
*** mihero has joined #openstack-security22:11
*** ukbelch has quit IRC22:14
*** pdesai has quit IRC22:20
*** pdesai has joined #openstack-security22:23
openstackgerritPriti Desai proposed openstack/security-doc: Adding Security Checklist
*** _amrith_ is now known as amrith22:39
*** tmcpeak has quit IRC22:44
*** pdesai1 has joined #openstack-security22:59
*** pdesai has quit IRC23:02
openstackgerritLucas Fisher proposed stackforge/bandit: Return the full name used in calls
ljfisherfletcher try this to see if it fixes your problem ^23:04
fletcherk, will check now23:05
*** nkinder has joined #openstack-security23:05
*** shakamunyi_ has quit IRC23:06
*** bknudson has quit IRC23:08
fletcherljfisher: I think that fixed it!23:12
*** salv-orlando has quit IRC23:20
*** salv-orlando has joined #openstack-security23:21
*** pdesai has joined #openstack-security23:24
*** pdesai1 has quit IRC23:26
*** pdesai has quit IRC23:28
*** pdesai has joined #openstack-security23:33
*** openstackgerrit has quit IRC23:38
*** openstackgerrit has joined #openstack-security23:38
*** ljfisher has quit IRC23:42
openstackgerritDave Belcher proposed stackforge/bandit: Refactored AST processing
*** salv-orlando has quit IRC23:51
*** pdesai has quit IRC23:53
*** pdesai has joined #openstack-security23:54
*** pdesai has quit IRC23:57

Generated by 2.14.0 by Marius Gedminas - find it at!