OpenDaylight JIRA https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 [CONTROLLER-1315] restconf allows alphabetical characters and non-numerical symbols for the flow id field https://jira.opendaylight.org/browse/CONTROLLER-1315 controller <p>Alphabetical characters and non-numerical symbol are inappropriately allowed as flow ID. There is potential for exploitation with characters such as '$' and '@'. Thus, flow IDs like 'abc', or '---' are accepted by restconf.</p> <p>An example of a REST PUT call utilizing "---" as the flow ID that was accepted by the controller is shown below:</p> <p>PUT http://&lt;controller-ip&gt;:8181/restconf/config/opendaylight-inventory:nodes/node/openflow:1/table/0/flow/--- <del>d '&lt;?xml version="1.0" encoding="UTF-8" standalone="no"?&gt;&lt;flow xmlns="urn:opendaylight:flow:inventory"&gt;&lt;hard-timeout&gt;0&lt;/hard-timeout&gt;&lt;idle-timeout&gt;0&lt;/idle-timeout&gt;&lt;priority&gt;2&lt;/priority&gt;&lt;flow-name&gt;flow1&lt;/flow-name&gt;&lt;match&gt;&lt;ethernet-match&gt;&lt;ethernet-type&gt;&lt;type&gt;2048&lt;/type&gt;&lt;/ethernet-type&gt;&lt;/ethernet-match&gt;&lt;ipv4-destination&gt;10.0.0.1/32&lt;/ipv4-destination&gt;&lt;/match&gt;&lt;id&gt;</del>--&lt;/id&gt;&lt;table_id&gt;0&lt;/table_id&gt;&lt;instructions&gt;&lt;instruction&gt;&lt;order&gt;0&lt;/order&gt;&lt;apply-actions&gt;&lt;action&gt;&lt;output-action&gt;&lt;output-node-connector&gt;1&lt;/output-node-connector&gt;&lt;/output-action&gt;&lt;order&gt;0&lt;/order&gt;&lt;/action&gt;&lt;/apply-actions&gt;&lt;/instruction&gt;&lt;/instructions&gt;&lt;/flow&gt;'</p> <p>Operating System: All<br/> Platform: All</p> CONTROLLER-1315 restconf allows alphabetical characters and non-numerical symbols for the flow id field Bug Resolved Cannot Reproduce Unassigned Ryan Goulding Wed, 13 May 2015 16:34:44 +0000 Tue, 25 Jul 2023 08:24:02 +0000 Thu, 14 May 2015 11:08:38 +0000 restconf 0 1 <p>id in openflow model is modeled as string, so openflow model allows such keys and is correct for restconf to accept them.</p> <p>Marking is as Resolved - INVALID - since Restconf is behaving correctly according<br/> to model of flow.</p> <p>If you still see this as a bug, please open issue against openflowplugin with your<br/> rationale why id in flow model should be changed to number instead of string.</p> <p>Could you please elaborate how characters such "$" or "@" may present security flaw?</p> <p>Restconf / MD-SAL / Clustering / Netconf is not interpreting this characters and treats them as pure strings.</p> Development External issue ID 3207 External issue URL Rank 0|i02ptb: