[openstack-dev] [nova][oslo.utils] Bug-1680130 Check validation of UUID length

Jay Pipes jaypipes at gmail.com
Mon Apr 24 15:16:31 UTC 2017


On 04/24/2017 11:00 AM, Eric Fried wrote:
> That's not the only way you can break this, though.  For example,
> '12-3-45-6-78-12-3456-781-234-56-781-234-56-79' still passes the
> modified is_uuid_like(), but still manifests the bug.
>
> Trying to get is_uuid_like() to cover all possible formatting snafus
> while still allowing the same formats as before (e.g. without any
> hyphens at all) is a rabbit hole of mystical depths.

Not necessarily a rabbit hole of mystical depths. :)

We only care about hyphens. So, we could have this check instead:

if val.count('-') not in (0, 4):
     raise TypeError

Best,
-jay

> On 04/24/2017 09:44 AM, Jay Pipes wrote:
>> On 04/24/2017 09:45 AM, Jadhav, Pooja wrote:
>>> Solution 3:
>>>
>>> We can check UUID in central place means in "is_uuid_like" method of
>>> oslo_utils [4].
>>
>> This gets my vote. It's a bug in the is_uuid_like() function, IMHO, that
>> is returns True for badly-formatted UUID values (like having two
>> consecutive hyphens).
>>
>> FTR, the fix would be pretty simple. Just change this [1] line from this:
>>
>> return str(uuid.UUID(val)).replace('-', '') == _format_uuid_string(val)
>>
>> to this:
>>
>> # Disallow two consecutive hyphens
>> if '--' in val:
>>     raise TypeError
>> return str(uuid.UUID(val)).replace('-', '') == _format_uuid_string(val)
>>
>> Fix it there and you fix this issue for all projects that use it.
>>
>> Best,
>> -jay
>>
>> [1]
>> https://github.com/openstack/oslo.utils/blob/master/oslo_utils/uuidutils.py#L56
>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



More information about the OpenStack-dev mailing list