46edcc5b057ad51dac1475c49ba3a1ac53ca6fb7 - packaging/sources/barbican-tempest-plugin

commit	46edcc5b057ad51dac1475c49ba3a1ac53ca6fb7	[log] [tgz]
author	millevy <millevy@redhat.com>	Thu Oct 27 10:54:49 2022 +0000
committer	millevy <millevy@redhat.com>	Wed Dec 07 08:01:02 2022 +0000
tree	195520dfc0e41e3fa1224ff44eb25adceca62bbd
parent	519aa80cabe83cd8c2193d483f5dff5213a66719 [diff]

Introduce a new test for "cve_2022_3100"

The exploit is that a malicious user with a Keystone account is able to decrypt
any secret as long as they know the secret's ID by using a specifically crafted
query string:
GET /v1/secrets/{secret-id}/payload?target.secret.read=read

Change-Id: I5e00a188268ef1c25eed8bf3a37197918e529427

barbican_tempest_plugin/services/key_manager/json/secret_client.py[diff]
barbican_tempest_plugin/tests/api/test_cve_2022_3100.py[Added - diff]

2 files changed

tree: 195520dfc0e41e3fa1224ff44eb25adceca62bbd

barbican_tempest_plugin/
tools/
.gitignore
.gitreview
.stestr.conf
.zuul.yaml
CONTRIBUTING.rst
HACKING.rst
LICENSE
README.rst
requirements.txt
setup.cfg
setup.py
test-requirements.txt
tox.ini