[openstack-dev] [nova][neutron] How do you use the instance IP filter?
harlowja at fastmail.com
Sat Oct 28 21:51:07 UTC 2017
Matt Riedemann wrote:
> On 10/26/2017 10:56 PM, Joshua Harlow wrote:
>> Just the paranoid person in me, but is it safe to say that the filter
>> that you are showing here does not come from user text?
>> Ie these two lines don't come from a user input directly (without
>> going through some filter) do they?
>> From reading it seems like perhaps they do come at least partially
>> from a user, so I am hoping that its not possible for a user to
>> present a 'ip' that is really a complicated regex that takes a long
>> time to compile (and therefore can DOS the nova-api component); but I
>> don't know the surrounding code so I might be wrong...
>> Just wondering :-/
> We have schema validation on the ip filter but it's just checking that
> it can actually compile it:
> So yeah, probably a potential problem like you pointed out.
Ya, would seem so, especially if large user strings can get compiled.
Just a reference/useful tidbit but in the `re.py` module there is a
cache of the last 512 patterns compiled (suprise! i don't think a lot of
people know about it, ha), so assuming that users can present arbitrary
(and/or pretty big) input to the REST api of nova then that cache could
pretty large (depending on the allowable request max size) and/or could
also be thrashed pretty quickly (also note that regex compiling jumps
into C code afaik, so that probably locks up other greenthreads).
The cache layer fyi:
Just a thought but it might just be a good idea to remove this validator
and never again do user provided regex patterns/input and such in
general (to avoid cache thrashing and various other ReDoS or ReDoS-like
More information about the OpenStack-dev