sonar security

Author: pcrespov

services/web/server/src/simcore_service_webserver/licenses/_itis_vip_models.py

@@ -3,10 +3,18 @@
 
 from pydantic import BaseModel, BeforeValidator, Field, HttpUrl
 
+_MAX_LENGTH = 1_000
+
 
 def _feature_descriptor_to_dict(descriptor: str) -> dict[str, Any]:
     # NOTE: this is manually added in the server side so be more robust to errors
-    pattern = r"(\w+): ([^,]+)"
+    # Safe against polynomial runtime vulnerability due to backtracking
+    if (size := len(descriptor)) and size > _MAX_LENGTH:
+        msg = f"Features field too long [{size=}]"
+        raise ValueError(msg)
+
+    pattern = r"(\w{1,100}): ([^,]{1,100})"
+
     matches = re.findall(pattern, descriptor.strip("{}"))
     return dict(matches)
 

services/web/server/tests/unit/with_dbs/04/licenses/test_itis_vip_service.py

@@ -15,6 +15,9 @@
 from pytest_simcore.helpers.typing_env import EnvVarsDict
 from servicelib.aiohttp import status
 from simcore_service_webserver.licenses import _itis_vip_service
+from simcore_service_webserver.licenses._itis_vip_models import (
+    _feature_descriptor_to_dict,
+)
 from simcore_service_webserver.licenses._itis_vip_service import ResponseData
 from simcore_service_webserver.licenses._itis_vip_settings import ItisVipSettings
 
@@ -108,3 +111,8 @@ async def test_get_category_items(
             items = await _itis_vip_service.get_category_items(client, url)
 
             assert items[0].features["functionality"] == "Posable"
+
+
+def test_pre_validator_feature_descriptor_to_dict():
+    with pytest.raises(ValueError):
+        _feature_descriptor_to_dict("a" * 10000 + ": " + "b" * 10000)