Matt Riedemann wrote:
On 10/26/2017 10:56 PM, Joshua Harlow wrote:
Just the paranoid person in me, but is it safe to say that the filter
that you are showing here does not come from user text?
Ie these two lines don't come from a user input directly (without
going through some filter) do they?
https://github.com/openstack/nova/blob/16.0.0/nova/compute/api.py#L2458-L2459
From reading it seems like perhaps they do come at least partially
from a user, so I am hoping that its not possible for a user to
present a 'ip' that is really a complicated regex that takes a long
time to compile (and therefore can DOS the nova-api component); but I
don't know the surrounding code so I might be wrong...
Just wondering :-/
-Josh
We have schema validation on the ip filter but it's just checking that
it can actually compile it:
https://github.com/openstack/nova/blob/16.0.0/nova/api/validation/validators.py#L35
So yeah, probably a potential problem like you pointed out.
Ya, would seem so, especially if large user strings can get compiled.
Just a reference/useful tidbit but in the `re.py` module there is a
cache of the last 512 patterns compiled (suprise! i don't think a lot of
people know about it, ha), so assuming that users can present arbitrary
(and/or pretty big) input to the REST api of nova then that cache could
pretty large (depending on the allowable request max size) and/or could
also be thrashed pretty quickly (also note that regex compiling jumps
into C code afaik, so that probably locks up other greenthreads).
The cache layer fyi:
https://github.com/python/cpython/blob/3.6/Lib/re.py#L281-L312
Just a thought but it might just be a good idea to remove this validator
and never again do user provided regex patterns/input and such in
general (to avoid cache thrashing and various other ReDoS or ReDoS-like
problems).
-Josh
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
