[openstack-dev] [nova][neutron] How do you use the instance IP filter?
Matt Riedemann
mriedemos at gmail.com
Sat Oct 28 02:00:30 UTC 2017
On 10/26/2017 10:56 PM, Joshua Harlow wrote:
> Just the paranoid person in me, but is it safe to say that the filter
> that you are showing here does not come from user text?
>
> Ie these two lines don't come from a user input directly (without going
> through some filter) do they?
>
> https://github.com/openstack/nova/blob/16.0.0/nova/compute/api.py#L2458-L2459
>
>
> From reading it seems like perhaps they do come at least partially from
> a user, so I am hoping that its not possible for a user to present a
> 'ip' that is really a complicated regex that takes a long time to
> compile (and therefore can DOS the nova-api component); but I don't know
> the surrounding code so I might be wrong...
>
> Just wondering :-/
>
> -Josh
We have schema validation on the ip filter but it's just checking that
it can actually compile it:
https://github.com/openstack/nova/blob/16.0.0/nova/api/validation/validators.py#L35
So yeah, probably a potential problem like you pointed out.
--
Thanks,
Matt
More information about the OpenStack-dev
mailing list