[openstack-dev] [nova][neutron] How do you use the instance IP filter?

Joshua Harlow harlowja at fastmail.com
Sat Oct 28 21:51:07 UTC 2017


Matt Riedemann wrote:
> On 10/26/2017 10:56 PM, Joshua Harlow wrote:
>> Just the paranoid person in me, but is it safe to say that the filter
>> that you are showing here does not come from user text?
>>
>> Ie these two lines don't come from a user input directly (without
>> going through some filter) do they?
>>
>> https://github.com/openstack/nova/blob/16.0.0/nova/compute/api.py#L2458-L2459
>>
>>
>> From reading it seems like perhaps they do come at least partially
>> from a user, so I am hoping that its not possible for a user to
>> present a 'ip' that is really a complicated regex that takes a long
>> time to compile (and therefore can DOS the nova-api component); but I
>> don't know the surrounding code so I might be wrong...
>>
>> Just wondering :-/
>>
>> -Josh
>
> We have schema validation on the ip filter but it's just checking that
> it can actually compile it:
>
> https://github.com/openstack/nova/blob/16.0.0/nova/api/validation/validators.py#L35
>
>
> So yeah, probably a potential problem like you pointed out.
>

Ya, would seem so, especially if large user strings can get compiled.

Just a reference/useful tidbit but in the `re.py` module there is a 
cache of the last 512 patterns compiled (suprise! i don't think a lot of 
people know about it, ha), so assuming that users can present arbitrary 
(and/or pretty big) input to the REST api of nova then that cache could 
pretty large (depending on the allowable request max size) and/or could 
also be thrashed pretty quickly (also note that regex compiling jumps 
into C code afaik, so that probably locks up other greenthreads).

The cache layer fyi:

https://github.com/python/cpython/blob/3.6/Lib/re.py#L281-L312

Just a thought but it might just be a good idea to remove this validator 
and never again do user provided regex patterns/input and such in 
general (to avoid cache thrashing and various other ReDoS or ReDoS-like 
problems).

-Josh



More information about the OpenStack-dev mailing list