From b389cb5e939bd81258f87aa36da700b694b411d2 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Tue, 13 Feb 2024 09:39:38 +0900 Subject: [PATCH] Prevent potential ReDoS attack Although the logic is used to parse a config value, it'd be better to eliminate a risk. Change-Id: Id30a69071ef9c3877f3153b95ee2d00d08c17921 --- taskflow/jobs/backends/impl_redis.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/taskflow/jobs/backends/impl_redis.py b/taskflow/jobs/backends/impl_redis.py index f18ff61db..e61bf51b8 100644 --- a/taskflow/jobs/backends/impl_redis.py +++ b/taskflow/jobs/backends/impl_redis.py @@ -562,11 +562,11 @@ return cmsgpack.pack(result) @classmethod def _parse_sentinel(cls, sentinel): # IPv6 (eg. [::1]:6379 ) - match = re.search(r'\[(\S+)\]:(\d+)', sentinel) + match = re.search(r'^\[(\S+)\]:(\d+)$', sentinel) if match: return (match[1], int(match[2])) # IPv4 or hostname (eg. 127.0.0.1:6379 or localhost:6379) - match = re.search(r'(\S+):(\d+)', sentinel) + match = re.search(r'^(\S+):(\d+)$', sentinel) if match: return (match[1], int(match[2])) raise ValueError('Malformed sentinel server format')