On 10/26/2017 10:56 PM, Joshua Harlow wrote:
Just the paranoid person in me, but is it safe to say that the filter
that you are showing here does not come from user text?
Ie these two lines don't come from a user input directly (without going
through some filter) do they?
https://github.com/openstack/nova/blob/16.0.0/nova/compute/api.py#L2458-L2459
From reading it seems like perhaps they do come at least partially from
a user, so I am hoping that its not possible for a user to present a
'ip' that is really a complicated regex that takes a long time to
compile (and therefore can DOS the nova-api component); but I don't know
the surrounding code so I might be wrong...
Just wondering :-/
-Josh
We have schema validation on the ip filter but it's just checking that
it can actually compile it:
https://github.com/openstack/nova/blob/16.0.0/nova/api/validation/validators.py#L35
So yeah, probably a potential problem like you pointed out.
--
Thanks,
Matt
_______________________________________________
OpenStack-operators mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
