OpenStack Compute (nova)

nova contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).

Bug #1951983 reported by Dwi Siswanto
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Won't Fix
Undecided
Unassigned
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

# Summary
nova contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).

# Description

ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.

# Proof of Concept
To see that the regular expression is vulnerable, copy-paste it into a separate file & run the code as shown in below.

```python
import re

log_remove_context = re.compile(
    r"(.)*LOG\.(.*)\(.*(context=[_a-zA-Z0-9].*)+.*\)")
log_remove_context.match('LOG.' + '(' * 3456)
```

# Impact
This issue may lead to a denial of service.

# References
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

See original description
Revision history for this message
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

Changed in ossa:
status: New → Incomplete
description: updated
Revision history for this message
Jeremy Stanley (fungi) wrote :

Searching the current openstack/nova master branch source code, it appears the regular expression you're notifying us about is the "log_remove_context" definition in nova/hacking/checks.py, which is not part of the service but merely a set of static code analysis rules used to evaluate proposed changes to the source code itself. If this is correct, I don't think we need to keep this report private since we definitely wouldn't issue any security advisory about that (if it's even considered a bug worth fixing at all).

Revision history for this message
Dwi Siswanto (dw1s) wrote :

Sorry forgot to pointing the code. You are right, @kovid, the vulnerable code is located on `nova/hacking/checks.py` prior to commit `8f250f50446ca2d7aa84609d5144088aa4cded78`.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Thanks for confirming. I've switched the report to a normal public bug and marked our security advisory task as inapplicable, since this doesn't represent any exploitable vulnerability in the project. At worst, a developer could cherry-pick a malicious proposed change for the source and consume lots of CPU running static analysis checking on it until they interrupted the process.

information type: Private Security → Public
description: updated
Changed in ossa:
status: Incomplete → Won't Fix
Revision history for this message
Sylvain Bauza (sylvain-bauza) wrote :

If I understand correctly which module has this issue, this is about hacking.py.

@dw1s, you tell this is before SHA1 8f250f50446ca2d7aa84609d5144088aa4cded78 but I can't find it in the nova repo.

Either way, this hacking.py module isn't run by our services and is just used by our PEP8 jobs, so I don't see any problem here.

Changed in nova:
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.