yahoo-eng-team team mailing list archive

[Sylvain Bauza <1951983@xxxxxxxxxxxxxxxxxx>]

If I understand correctly which module has this issue, this is about
hacking.py.

@dw1s, you tell this is before SHA1
8f250f50446ca2d7aa84609d5144088aa4cded78 but I can't find it in the nova
repo.

Either way, this hacking.py module isn't run by our services and is just
used by our PEP8 jobs, so I don't see any problem here.


** Changed in: nova
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1951983

Title:
  nova contains a regular expression that is vulnerable to ReDoS
  (Regular Expression Denial of Service).

Status in OpenStack Compute (nova):
  Won't Fix
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  # Summary
  nova contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).

  # Description

  ReDoS, or Regular Expression Denial of Service, is a vulnerability
  affecting inefficient regular expressions which can perform extremely
  badly when run on a crafted input string.

  # Proof of Concept
  To see that the regular expression is vulnerable, copy-paste it into a separate file & run the code as shown in below.

  ```python
  import re

  log_remove_context = re.compile(
      r"(.)*LOG\.(.*)\(.*(context=[_a-zA-Z0-9].*)+.*\)")
  log_remove_context.match('LOG.' + '(' * 3456)
  ```

  # Impact
  This issue may lead to a denial of service.

  # References
  - https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1951983/+subscriptions