If I understand correctly which module has this issue, this is about
hacking.py.
@dw1s, you tell this is before SHA1
8f250f50446ca2d7aa84609d5144088aa4cded78 but I can't find it in the nova
repo.
Either way, this hacking.py module isn't run by our services and is just
used by our PEP8 jobs, so I don't see any problem here.
** Changed in: nova
Status: New => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1951983
Title:
nova contains a regular expression that is vulnerable to ReDoS
(Regular Expression Denial of Service).
Status in OpenStack Compute (nova):
Won't Fix
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
# Summary
nova contains a regular expression that is vulnerable to ReDoS (Regular
Expression Denial of Service).
# Description
ReDoS, or Regular Expression Denial of Service, is a vulnerability
affecting inefficient regular expressions which can perform extremely
badly when run on a crafted input string.
# Proof of Concept
To see that the regular expression is vulnerable, copy-paste it into a
separate file & run the code as shown in below.
```python
import re
log_remove_context = re.compile(
r"(.)*LOG\.(.*)\(.*(context=[_a-zA-Z0-9].*)+.*\)")
log_remove_context.match('LOG.' + '(' * 3456)
```
# Impact
This issue may lead to a denial of service.
# References
-
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1951983/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
