hdfs3 icon indicating copy to clipboard operation
hdfs3 copied to clipboard

Published 20 hours ago verified publisher icon dask

ReDoS Vulnerability in HDFileSystem.glob()

Open Alphadelta14 opened this issue 5 years ago • 0 comments

Hi, While auditing dependencies I found a particularly nasty ReDoS issue that is fairly simple to implement where client code is concerned.

Versions Affected: hdfs3<=0.3.1

I am publicly disclosing this so that users and package maintainers have their own choice to safeguard themselves, as this repo is not actively developed.

Scenario

Given a properly instantiated client: hdfs = HDFileSystem() Where there exists some file /ababababababababababababababababababababababababababababababababababababababababa (hdfs file name limit is 255) The following expression will cause client code to seemingly hang: hdfs.glob("/*((ab)+)+")

Potential Resolutions

  1. Switch to the native jni client / pyarrow as this repo recommends.
  2. Ensure re.escape() is called during hdfs.glob (Do not allow client code to be compiled into regular expressions)

Alphadelta14 avatar Dec 20 '19 04:12 Alphadelta14