notes

pcrespov · pcrespov · commit cb8bca942e03 · 2025-01-30T15:30:26.000+01:00
diff --git a/services/web/server/src/simcore_service_webserver/licenses/_itis_vip_models.py b/services/web/server/src/simcore_service_webserver/licenses/_itis_vip_models.py
@@ -1,21 +1,25 @@
 import re
 from typing import Annotated, Any, Literal
 
-from pydantic import BaseModel, BeforeValidator, Field, HttpUrl
+from pydantic import (
+    BaseModel,
+    BeforeValidator,
+    Field,
+    HttpUrl,
+    StringConstraints,
+    TypeAdapter,
+)
 
-_MAX_LENGTH = 1_000
+_max_str_adapter = TypeAdapter(
+    Annotated[str, StringConstraints(strip_whitespace=True, max_length=1_000)]
+)
 
 
 def _feature_descriptor_to_dict(descriptor: str) -> dict[str, Any]:
     # NOTE: this is manually added in the server side so be more robust to errors
-    # Safe against polynomial runtime vulnerability due to backtracking
-    if (size := len(descriptor)) and size > _MAX_LENGTH:
-        msg = f"Features field too long [{size=}]"
-        raise ValueError(msg)
-
+    descriptor = _max_str_adapter.validate_python(descriptor.strip("{}"))
     pattern = r"(\w{1,100}): ([^,]{1,100})"
-
-    matches = re.findall(pattern, descriptor.strip("{}"))
+    matches = re.findall(pattern, descriptor)
     return dict(matches)
 
 
@@ -38,5 +42,8 @@ class AvailableDownload(BaseModel):
 class ResponseData(BaseModel):
     msg: int | None = None  # still not used
     available_downloads: Annotated[
-        list[AvailableDownload], Field(alias="availableDownloads")
+        list[AvailableDownload],
+        Field(alias="availableDownloads")
+        # TODO: consider just parsing those that you are interested in instead of performing so many checks
+        # and then throw them
     ]
diff --git a/services/web/server/tests/unit/with_dbs/04/licenses/test_itis_vip_service.py b/services/web/server/tests/unit/with_dbs/04/licenses/test_itis_vip_service.py
@@ -22,6 +22,13 @@
 from simcore_service_webserver.licenses._itis_vip_settings import ItisVipSettings
 
 
+def test_pre_validator_feature_descriptor_to_dict():
+    # Makes sure the regex used here, which is vulnerable to polynomial runtime due to backtracking, cannot lead to denial of service.
+    with pytest.raises(ValidationError) as err_info:
+        _feature_descriptor_to_dict("a" * 10000 + ": " + "b" * 10000)
+    assert err_info.value.errors()[0]["type"] == "string_too_long"
+
+
 @pytest.fixture(scope="session")
 def fake_api_base_url() -> str:
     return "https://testserver"
@@ -111,8 +118,3 @@ async def test_get_category_items(
             items = await _itis_vip_service.get_category_items(client, url)
 
             assert items[0].features["functionality"] == "Posable"
-
-
-def test_pre_validator_feature_descriptor_to_dict():
-    with pytest.raises(ValueError):
-        _feature_descriptor_to_dict("a" * 10000 + ": " + "b" * 10000)
