Hi,
While auditing dependencies I found a particularly nasty ReDoS issue that is fairly simple to implement where client code is concerned.
Versions Affected: hdfs3<=0.3.1
I am publicly disclosing this so that users and package maintainers have their own choice to safeguard themselves, as this repo is not actively developed.
Scenario
Given a properly instantiated client:
hdfs = HDFileSystem()
Where there exists some file /ababababababababababababababababababababababababababababababababababababababababa (hdfs file name limit is 255)
The following expression will cause client code to seemingly hang:
hdfs.glob("/*((ab)+)+")
Potential Resolutions
Switch to the native jni client / pyarrow as this repo recommends.
Ensure re.escape() is called during hdfs.glob (Do not allow client code to be compiled into regular expressions)
Hi, While auditing dependencies I found a particularly nasty ReDoS issue that is fairly simple to implement where client code is concerned.
Versions Affected: hdfs3<=0.3.1
I am publicly disclosing this so that users and package maintainers have their own choice to safeguard themselves, as this repo is not actively developed.
Scenario
Given a properly instantiated client:
hdfs = HDFileSystem()Where there exists some file/ababababababababababababababababababababababababababababababababababababababababa(hdfs file name limit is 255) The following expression will cause client code to seemingly hang:hdfs.glob("/*((ab)+)+")Potential Resolutions