Bug #37793
open
Content-View publish causes mass host.updated events, potentially resulting in DOS of external services via webhooks
Description
When publishing a CV version to a new lifecycle environment, all hosts consuming that CV in that LCE will trigger a Katello::Host::ContentFacet update event through the calculate errata applicability tasks, which in turn then triggers the host_updated event on every one of those hosts, causing the "host updated" webhooks to fire for each one of those hosts in rapid succession.
Depending on the hooks the user has set up, this can potentially lead to a DOS of external services. In combination with the shellhooks plugin on the internal smart-proxy, it is even possible to DOS the Foreman server itself.
- Have a Katello instance with the webhooks plugin installed
- Create a CV and an LCE
- Publish that CV to the LCE
- Add some hosts to the CV and the LCE
- Configure a webhook for the "Host updated" event
- Publish a new version of the CV and promote it to the LCE
This issue is a result of previous discussions on the forum: https://community.theforeman.org/t/katello-with-webhooks-causes-dos-on-cv-publish/39329
Updated by