Monday, 2015-03-02

*** linuxuser has joined #openstack-security		00:06
*** JAHoagie has joined #openstack-security		00:54
*** JAHoagie has quit IRC		01:03
*** amrith is now known as _amrith_		01:41
*** ukbelch has quit IRC		01:46
*** ukbelch_ has quit IRC		01:46
*** _amrith_ is now known as amrith		01:51
*** amrith is now known as _amrith_		02:12
*** jhonangel123 has joined #openstack-security		02:19
*** ukbelch has joined #openstack-security		02:42
*** ukbelch_ has joined #openstack-security		02:42
*** ukbelch_ has quit IRC		02:46
*** ukbelch has quit IRC		02:47
*** _amrith_ is now known as amrith		03:01
*** nkinder has joined #openstack-security		03:38
*** dave-mccowan has quit IRC		03:50
*** jhonangel123 has quit IRC		04:03
*** ukbelch_ has joined #openstack-security		04:08
*** ukbelch has joined #openstack-security		04:08
*** ukbelch_ has quit IRC		04:13
*** ukbelch has quit IRC		04:13
*** OnlyKnockOnce has joined #openstack-security		05:08
*** OnlyKnockOnce has left #openstack-security		05:09
*** ukbelch has joined #openstack-security		05:57
*** ukbelch_ has joined #openstack-security		05:57
*** ukbelch has quit IRC		06:01
*** ukbelch_ has quit IRC		06:01
*** JAHoagie has joined #openstack-security		06:14
*** ukbelch has joined #openstack-security		06:58
*** ukbelch_ has joined #openstack-security		06:58
*** ukbelch_ has quit IRC		07:02
*** ukbelch has quit IRC		07:02
*** v4s has quit IRC		07:50
*** JAHoagie has quit IRC		07:55
*** v4s has joined #openstack-security		08:01
*** salv-orlando has joined #openstack-security		08:44
*** ukbelch has joined #openstack-security		08:46
*** ukbelch_ has joined #openstack-security		08:46
*** ukbelch has quit IRC		08:51
*** ukbelch_ has quit IRC		08:51
*** ukbelch has joined #openstack-security		08:53
*** ukbelch_ has joined #openstack-security		08:53
*** ukbelch has quit IRC		08:55
*** ukbelch_ has quit IRC		08:55
*** ukbelch has joined #openstack-security		08:58
*** ukbelch_ has joined #openstack-security		08:58
*** tkelsey has joined #openstack-security		09:05
*** salv-orlando has quit IRC		09:13
*** salv-orlando has joined #openstack-security		09:14
*** ukbelch_ has quit IRC		09:19
*** ukbelch_ has joined #openstack-security		09:19
*** ukbelch has quit IRC		09:20
*** ukbelch has joined #openstack-security		09:20
*** salv-orlando has quit IRC		10:11
openstackgerrit	Dave Belcher proposed stackforge/bandit: Refactored AST processing https://review.openstack.org/160166	10:26
openstackgerrit	Dave Belcher proposed stackforge/bandit: Refactored AST processing https://review.openstack.org/160166	10:36
openstackgerrit	Dave Belcher proposed stackforge/bandit: Refactored AST processing https://review.openstack.org/160166	10:40
*** ukbelch has quit IRC		10:59
*** ukbelch_ has quit IRC		10:59
*** ukbelch has joined #openstack-security		11:01
*** ukbelch_ has joined #openstack-security		11:01
*** ukbelch has quit IRC		11:02
*** ukbelch_ has quit IRC		11:05
*** ukbelch has joined #openstack-security		11:06
*** ukbelch_ has joined #openstack-security		11:06
*** gabriela has joined #openstack-security		11:07
*** gabriela has left #openstack-security		11:08
*** ukbelch has quit IRC		11:15
*** ukbelch_ has quit IRC		11:15
*** ukbelch has joined #openstack-security		11:15
*** ukbelch_ has joined #openstack-security		11:15
*** ukbelch_ has quit IRC		11:17
*** ukbelch has quit IRC		11:19
*** ukbelch has joined #openstack-security		11:20
*** ukbelch has quit IRC		11:36
*** v4s has quit IRC		12:12
*** v4s has joined #openstack-security		12:18
*** dave-mccowan has joined #openstack-security		12:21
*** optik_ has joined #openstack-security		12:37
*** optik_ has quit IRC		12:38
*** markvoelker has joined #openstack-security		13:08
*** tmcpeak has joined #openstack-security		13:27
*** amrith is now known as _amrith_		13:30
*** salv-orlando has joined #openstack-security		13:43
*** ukbelch has joined #openstack-security		13:45
*** bknudson has quit IRC		13:46
*** ukbelch has quit IRC		13:47
*** ukbelch has joined #openstack-security		13:50
*** ljfisher has joined #openstack-security		13:53
*** singlethink has joined #openstack-security		13:55
*** bknudson has joined #openstack-security		14:10
*** ukbelch has quit IRC		14:17
*** nkinder has quit IRC		14:19
*** tmcpeak1 has joined #openstack-security		14:28
*** tmcpeak has quit IRC		14:29
*** tmcpeak1 has quit IRC		14:36
*** tmcpeak has joined #openstack-security		14:37
*** JAHoagie has joined #openstack-security		14:42
*** _amrith_ is now known as amrith		14:55
*** singlethink has quit IRC		15:01
*** singlethink has joined #openstack-security		15:02
*** nkinder has joined #openstack-security		15:13
*** tmcpeak has quit IRC		15:15
*** JAHoagie has quit IRC		15:15
*** tmcpeak has joined #openstack-security		15:16
*** voodookid has joined #openstack-security		15:39
*** bpokorny has quit IRC		15:41
*** salv-orlando has quit IRC		15:55
*** salv-orlando has joined #openstack-security		15:55
*** bpokorny has joined #openstack-security		15:55
*** salv-orlando has quit IRC		16:00
*** dave-mccowan has quit IRC		16:08
*** JAHoagie has joined #openstack-security		16:19
*** dave-mccowan has joined #openstack-security		16:28
*** singlethink has quit IRC		16:34
*** pdesai has joined #openstack-security		16:54
*** singlethink has joined #openstack-security		17:00
*** bdpayne has joined #openstack-security		17:04
*** singlethink has quit IRC		17:04
*** pdesai has quit IRC		17:09
*** pdesai has joined #openstack-security		17:09
*** singlethink has joined #openstack-security		17:16
*** salv-orlando has joined #openstack-security		17:16
*** tmcpeak1 has joined #openstack-security		17:18
*** tmcpeak has quit IRC		17:18
openstackgerrit	Gauvain Pocentek proposed openstack/security-doc: Fixes for grammatical errors https://review.openstack.org/157456	17:19
bdpayne	nkinder What are your thoughts on https://review.openstack.org/#/c/157991/. We can't really do 2 +2's and a "core" review b/c it isn't an OpenStack project. What criteria should we use for accepting it?	17:38
bdpayne	nkinder Perhaps if you are happy then we should call it good?	17:39
nkinder	bdpayne: checking...	17:39
openstackgerrit	Merged openstack/security-doc: Adding clarification to Networking's security guide references. https://review.openstack.org/157162	17:40
nkinder	bdpayne: yeah, we can just waive the "core" requirement since there is not really a project associated with this.	17:41
nkinder	bdpayne: let me finish reviewing, then I'll +A if it looks good	17:42
bdpayne	sounds good, thanks!	17:42
nkinder	bdpayne: Approved. I'll publish it this afternoon when I get some free time.	17:51
bdpayne	cool, thanks again	17:51
openstackgerrit	Merged openstack/security-doc: Add text for OSSN-0044 https://review.openstack.org/157991	17:56
*** sicarie has joined #openstack-security		17:57
bdpayne	It's time for the security guide meeting. Do we have anyone here for that?	18:00
sicarie	o/	18:00
elmiko	yo/	18:00
pdesai	Yup	18:00
bdpayne	hi everyone	18:01
bdpayne	so we can get started	18:01
sicarie	Doug's skiing (or traveling to/from) so I think he's going to miss this one	18:01
bdpayne	silly Doug	18:01
bdpayne	like skiing is more interesting than this ;-)	18:01
pdesai	lol	18:02
elmiko	hehe	18:02
bdpayne	on the agenda I have bug triage, open CRs, and that's about all	18:02
bdpayne	anything else?	18:02
elmiko	nothing from me	18:02
sicarie	nope, that looks good	18:02
bdpayne	https://bugs.launchpad.net/openstack-manuals/+bugs?field.tag=sec-guide	18:02
pdesai	i have discussion around the diagrams (images) and checklist	18:02
bdpayne	ok, sounds good	18:02
bdpayne	so let's start with bug triage	18:03
bdpayne	I just see one new one	18:03
bdpayne	https://bugs.launchpad.net/openstack-manuals/+bug/1425762	18:03
openstack	Launchpad bug 1425762 in openstack-manuals "Database SSL transport config example missing OS service database config" [Undecided,In progress] - Assigned to Shail Bhargava (shabharg)	18:03
bdpayne	so Shail filed this bug and already has a CR up	18:04
elmiko	nice	18:04
elmiko	sounds like maybe a high prio	18:04
bdpayne	I think this is valid, but perhaps a low	18:04
bdpayne	helps to clarify, but we aren't making a bad recommendation or anything like that	18:04
bdpayne	thoughts?	18:04
sicarie	My concern is around the use of SSL	18:05
elmiko	ahh, i thought it was missing info that was needed	18:05
sicarie	Though I haven't looked into this I would imagine TLS is possible	18:05
bdpayne	oh yeah	18:06
bdpayne	so I read this as we recommend setting up TLS on the database	18:06
bdpayne	but for openstack services to work with that, they will need the cert chain so that it can verify the connection	18:06
bdpayne	and we didn't talk about providing the cert chain	18:06
bdpayne	so yeah, we can comment on using TLS instead of SSL here	18:07
sicarie	Yep, definitely looks valid, probably medium?	18:07
bdpayne	Med/Low... I could do either	18:08
sicarie	Additionally, the example above is for PostGRE, this looks mysql specific, it'd be nice to either have a generic pointer, or examples for both (as it looks relatively small) if they're different	18:08
bdpayne	ok, I've added some comments	18:10
bdpayne	made it a medium	18:10
sicarie	+1	18:10
bdpayne	ok, I don't see any others that need triage	18:10
bdpayne	so next step is to review open CRs	18:11
bdpayne	https://review.openstack.org/#/c/157550/	18:11
bdpayne	This is the "additional ways to configure SSL" one with content from Nathan's blog	18:12
bdpayne	I think the next step here is to adjust the colors on the images?	18:12
bdpayne	pdesai can you speak to this?	18:12
pdesai	yup, tried to play with inkscpae with Solarize palette but natively it does not have support for that palette	18:12
pdesai	same with Open Sans fonts	18:13
bdpayne	yeah, I think you just need to manually use those colors	18:13
bdpayne	the font is something you can add to your system	18:13
pdesai	Vector paint has support for solarize palette, i am exploring Vector Paint	18:14
bdpayne	ah, ok	18:14
bdpayne	that works too	18:14
bdpayne	so the next one is https://review.openstack.org/#/c/157456/	18:14
pdesai	how about we go with ascii flow otherwise? thoughts?	18:14
bdpayne	I think this is gtg, just need another review	18:14
bdpayne	pdesai I can help with the graphics if needed, I'd rather do that than move to ascii	18:15
elmiko	my preference is for the graphics, but if it becomes too big an issue then ascii as last resort	18:15
bdpayne	https://review.openstack.org/#/c/158354/ has a merge conflict	18:15
elmiko	i'll echo bdpayne as well, if you need help i know inkscape pretty well	18:15
pdesai	ok cool, i will give it a shot tonight and if it doesnt work, i will reach out to bdpayne	18:15
bdpayne	cool	18:16
bdpayne	sicarie If you see Shellee could you ping here on https://review.openstack.org/#/c/158354/ about the merge conflict?	18:16
bdpayne	should be straight forward to address	18:16
sicarie	Sure	18:16
bdpayne	thanks	18:17
bdpayne	next up is https://review.openstack.org/#/c/159668/	18:17
bdpayne	this is the CR associated with the bug we just triaged	18:17
bdpayne	it basically just needs reviews at this point	18:17
bdpayne	I'll look later today	18:17
bdpayne	finally we have https://review.openstack.org/#/c/157164/	18:17
*** browne has joined #openstack-security		18:17
bdpayne	pdesai on this one I guess we have some open formatting questions	18:18
bdpayne	Do you want to follow up with Anne to see if she has suggestions?	18:18
pdesai	this is hug, yup i have made significant progress and will upload new patch	18:18
*** tmcpeak1 has quit IRC		18:18
bdpayne	hug?	18:19
pdesai	i will follow up with her as well, on how to automate adding checklist in the appendix	18:19
bdpayne	ok cool	18:19
pdesai	oops typo, hug => huge	18:19
bdpayne	ahh	18:19
bdpayne	yeah, I know it would be more work up front, but I think it would pay off pretty quickly in terms of maintenance costs	18:19
*** tmcpeak has joined #openstack-security		18:19
pdesai	yup, agree, hopefully we can finalize the format before next sync up	18:20
bdpayne	ok cool	18:20
bdpayne	thanks	18:20
bdpayne	so that's all that I have then	18:20
bdpayne	anything else to discuss?	18:20
elmiko	nothing from me	18:21
pdesai	nope	18:21
sicarie	just ping'd shellee she's going to take a look at the merge conflict today	18:21
sicarie	nothing else from me	18:21
bdpayne	kk thanks all, I'll see you next week!	18:21
pdesai	thanks everyone	18:21
elmiko	thanks bdpayne !	18:21
sicarie	thanks!	18:21
*** tmcpeak has quit IRC		18:22
*** sicarie_ has joined #openstack-security		18:25
*** sicarie has quit IRC		18:26
*** sicarie_ has left #openstack-security		18:26
openstackgerrit	Dave Belcher proposed stackforge/bandit: Refactored AST processing https://review.openstack.org/160166	18:28
*** sicarie has joined #openstack-security		18:31
openstackgerrit	Merged openstack/security-doc: Fixes for grammatical errors https://review.openstack.org/157456	18:37
*** ukbelch has joined #openstack-security		18:49
openstackgerrit	Dave Belcher proposed stackforge/bandit: Refactored AST processing https://review.openstack.org/160166	19:01
*** ukbelch has quit IRC		19:13
*** shakamunyi has joined #openstack-security		19:20
*** ukbelch has joined #openstack-security		19:33
*** tkelsey has quit IRC		19:33
*** tmcpeak has joined #openstack-security		19:34
*** ukbelch has quit IRC		19:35
*** sicarie has quit IRC		19:40
openstackgerrit	Rob Fletcher proposed stackforge/bandit: Add mako templating plugin and XSS profile https://review.openstack.org/158801	19:48
*** pdesai has quit IRC		20:20
*** fletcher has joined #openstack-security		20:32
fletcher	tmcpeak, chair6, ljfisher and tkelsey - so I've done some digging on the false negative related to https://review.openstack.org/#/c/158801/	20:33
fletcher	If you guys don't mind to go read the comment I've left and respond if you think you might know what's up	20:33
fletcher	the false negative appears to becoming from one of the utils functions not calucatling qualname list correctly	20:33
ljfisher	I think I see the bug	20:37
ljfisher	I think get_call_name returns just the base name and not the qualified name	20:39
ljfisher	was thinking there was a separate func for call qualname but don’t see it	20:41
fletcher	yah, neither do i	20:41
fletcher	during my debugging, i added some ast.walk stuff for the Attribute case, and the info is definitely all there	20:42
fletcher	do you know of an easy fix?	20:42
ljfisher	ah, I see.	20:42
fletcher	e.g.	20:42
fletcher	<_ast.Attribute object at 0x108cf34d0> <_ast.Attribute object at 0x108cf34d0> id: None name: None <_ast.Name object at 0x108cf35d0> id: mako name: None <_ast.Load object at 0x1089ee190> id: None name: None <_ast.Load object at 0x1089ee190> id: None name: None Template ['Template'] Template	20:42
fletcher	ahhhhhh, well that pasted horribly	20:42
ljfisher	is template an object?	20:43
fletcher	http://pastebin.com/ezRKifJh	20:43
fletcher	http://pastebin.com/1NbsVDRs	20:43
fletcher	that's what input file looks like	20:43
ljfisher	so we can’t get that	20:43
fletcher	Is that a question or statement?	20:44
ljfisher	statement	20:44
fletcher	Interesting, why not?	20:44
ljfisher	so mako.template returns an object, correct?	20:44
fletcher	based on my first pastebin, the info is there	20:44
fletcher	So if I do type(mako.template)	20:46
fletcher	it returns	20:46
fletcher	AttributeError: 'module' object has no attribute 'template'	20:46
ljfisher	as snipplet of the ast tree would be useful	20:46
fletcher	here ya go	20:47
fletcher	http://pastebin.com/d7npvrhQ	20:47
fletcher	maybe not exactly what you're looking for, but that's my debug output so far	20:48
ljfisher	when you run with -d you get dumps of the ast tree I think	20:48
fletcher	Kk	20:49
fletcher	http://pastebin.com/0e4zdypF	20:49
fletcher	also, thank for the help! :)	20:51
*** pdesai has joined #openstack-security		20:52
ljfisher	ok, I think I see. So attributes are for access members of an object.	20:54
ljfisher	That object can be static or dynamic.	20:55
fletcher	uhhhh, sure! lol ;)	20:56
ljfisher	In this case is <package>.<module>.<class> and everything is static but we don’t know that	20:56
ljfisher	we have three levels in this case mako,template.Template	20:56
ljfisher	OpenStack code never does that so I missed it	20:56
ljfisher	or at least the code I’ve looked at	20:57
ljfisher	it seems to do ‘from make.template import Template’	20:57
ljfisher	more often	20:57
fletcher	ah ok, so it sounds like you've got your head around a fix?	20:57
fletcher	yah, completely agree on the typical usecase	20:57
ljfisher	so we can resolve mako.template.Template	20:58
fletcher	i actually added a bunch of weird imports to see if something like this does happen	20:58
ljfisher	using import_aliases	20:58
ljfisher	that’s good	20:58
ljfisher	using just the information in the file we can’t tell if mako.template is an object, class, module	20:58
ljfisher	we could just take what we see in the file and sometimes it will work.	21:00
fletcher	So i'm a bit confused, doesn't the utils function have all the info necessary?	21:00
fletcher	just a matter of construct qualname_list differently?	21:00
ljfisher	Yeah. I was trying to be correct instead of making it work in most cases.	21:01
ljfisher	we could have module.foo.method call	21:01
ljfisher	where foo is an instance of Bar	21:02
ljfisher	we can’t write a test to detect all calls to Bar.method because we can’t tell foo is an instance of bar	21:02
ljfisher	but times like this mako case nothering in that function name is a variable	21:03
ljfisher	So I wanted calls to module.foo.method to resolve to Bar.method, but we can’t do that. It is probably safe to have module.foo.method resolve to module.foo.method even though that doesn’t tell you what is being called. Sometime we will call package.module.class and it will tell us enough to write a test.	21:06
*** shakamunyi has quit IRC		21:07
*** shakamunyi has joined #openstack-security		21:08
ljfisher	You are correct it is easy to see mako.template.Template. But hard to know to know what function that actually refers to without more information. But for writing tests it really doesn’t matter.	21:08
ljfisher	that make sense at all?	21:09
fletcher	sorry, back. catching up	21:14
fletcher	Yah, I think that makes sense to me	21:16
fletcher	So do you think that's a change you can make pretty easily? Or do you want me to attempt to? :)	21:17
tmcpeak	reading this	21:19
ljfisher	So I think what needs to happen is recursive dept-first traversal of Call.func to build up the attribute names. At each level we have to check the import_aliases table to see if an alias exists for the name and subtitute it if it does.	21:23
tmcpeak	fletcher, ljfisher: ok - I think bug makes sense (at least from a cursory level)	21:23
tmcpeak	that sounds like a pain in the ass	21:23
ljfisher	eh, I think about 10-15 lines :)	21:24
tmcpeak	do I hear a volunteer? :)	21:24
fletcher	lol	21:24
ljfisher	yeah, I’ll take a look. It really is my bug	21:24
fletcher	boom, nice	21:24
tmcpeak	sweet :)	21:24
tmcpeak	good catch with the extra testing @fletcher	21:24
fletcher	I'll be interested to see if this causes tests to fail, once it's fixed	21:24
fletcher	can't imagine it will	21:24
ljfisher	I punted on this case not thinking that all the components could be static	21:24
*** amrith is now known as _amrith_		21:25
tmcpeak	sure, well before that it was extremely primitive. Good to see this moving towards comprehensiveness	21:25
tmcpeak	comprehensivity	21:25
tmcpeak	or whatever the word is	21:25
tmcpeak	biab	21:26
*** dave-mccowan has quit IRC		21:47
*** shakamunyi_ has joined #openstack-security		21:53
*** shakamunyi has quit IRC		21:54
*** nkinder has quit IRC		22:01
*** mihero has quit IRC		22:03
*** dave-mccowan has joined #openstack-security		22:04
*** ukbelch has joined #openstack-security		22:08
*** mihero has joined #openstack-security		22:11
*** ukbelch has quit IRC		22:14
*** pdesai has quit IRC		22:20
*** pdesai has joined #openstack-security		22:23
openstackgerrit	Priti Desai proposed openstack/security-doc: Adding Security Checklist https://review.openstack.org/157164	22:32
*** _amrith_ is now known as amrith		22:39
*** tmcpeak has quit IRC		22:44
*** pdesai1 has joined #openstack-security		22:59
*** pdesai has quit IRC		23:02
openstackgerrit	Lucas Fisher proposed stackforge/bandit: Return the full name used in calls https://review.openstack.org/160546	23:04
ljfisher	fletcher try this to see if it fixes your problem ^	23:04
fletcher	k, will check now	23:05
*** nkinder has joined #openstack-security		23:05
*** shakamunyi_ has quit IRC		23:06
*** bknudson has quit IRC		23:08
fletcher	ljfisher: I think that fixed it!	23:12
fletcher	http://pastebin.com/jJDtiQLy	23:13
ljfisher	cool	23:16
*** salv-orlando has quit IRC		23:20
*** salv-orlando has joined #openstack-security		23:21
*** pdesai has joined #openstack-security		23:24
*** pdesai1 has quit IRC		23:26
*** pdesai has quit IRC		23:28
*** pdesai has joined #openstack-security		23:33
*** openstackgerrit has quit IRC		23:38
*** openstackgerrit has joined #openstack-security		23:38
*** ljfisher has quit IRC		23:42
openstackgerrit	Dave Belcher proposed stackforge/bandit: Refactored AST processing https://review.openstack.org/160166	23:46
*** salv-orlando has quit IRC		23:51
*** pdesai has quit IRC		23:53
*** pdesai has joined #openstack-security		23:54
*** pdesai has quit IRC		23:57

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!