Formula sandbox: unbounded ** / << allows DoS from an untrusted profile #6
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
From the Fable security review.
obdcore/formula.pyruns UNTRUSTED community-profile scaling formulas through an AST evaluator, but_BINwhitelistsast.Powandast.LShift/RShiftwith no magnitude bound. A profile formula like9**9**9or1<<10**9passes_validateat load and detonates on firstdecode()— computing a multi-hundred-MB integer that pins a CPU core and OOM-kills the process. It runs on the background scheduler thread; theexcept Exceptionin scheduler does NOT catch a runaway/OOM (not a raised exception). A derived PID with emptydepsand formula9**9**9fires every tick on connect.Fix: bound eval-time result magnitude (raise
FormulaErrorif an int result.bit_length() > ~512); replace<</>>/**with checked wrappers (cap shift/exponent); cap expression length + AST depth at compile to avoid RecursionError. Add tests with malicious formulas.