[openstack-dev] [nova][neutron] How do you use the instance IP filter?

Matt Riedemann mriedemos at gmail.com
Sat Oct 28 02:00:30 UTC 2017


On 10/26/2017 10:56 PM, Joshua Harlow wrote:
> Just the paranoid person in me, but is it safe to say that the filter 
> that you are showing here does not come from user text?
> 
> Ie these two lines don't come from a user input directly (without going 
> through some filter) do they?
> 
> https://github.com/openstack/nova/blob/16.0.0/nova/compute/api.py#L2458-L2459 
> 
> 
>  From reading it seems like perhaps they do come at least partially from 
> a user, so I am hoping that its not possible for a user to present a 
> 'ip' that is really a complicated regex that takes a long time to 
> compile (and therefore can DOS the nova-api component); but I don't know 
> the surrounding code so I might be wrong...
> 
> Just wondering :-/
> 
> -Josh

We have schema validation on the ip filter but it's just checking that 
it can actually compile it:

https://github.com/openstack/nova/blob/16.0.0/nova/api/validation/validators.py#L35

So yeah, probably a potential problem like you pointed out.

-- 

Thanks,

Matt



More information about the OpenStack-dev mailing list