Fixing regex to be able to detect versions correctly for Huawei VRP#660
Fixing regex to be able to detect versions correctly for Huawei VRP#660amcgough-r7 merged 4 commits intomainfrom
Conversation
amcgough-r7
changed the title
| </fingerprint> | ||
|
|
||
| <fingerprint pattern="VRP.*Version ([\d.]+) \((.+?) (V[\d.]+R[\d.]+C[\d.]+(?:SPC|SPH|CP|HP)?\d*)"> | ||
| <fingerprint pattern="VRP.*Version ([\d.]+) \(([^\s]+) (V\d{3,4}R\d{3,4}(?:C\d{2,3})?(?:SPC\d+|SPH\d+|CP\d+|HP\d+)?)\)"> |
There was a problem hiding this comment.
are there examples where the series string contains 4 numbers after the V/R and 3 after the C?
all series strings i've seen would begin with V\d{3}R\d{3}(?:C\d{2} but perhaps ive missed some
There was a problem hiding this comment.
I did check over the advisories again to make sure I wasn't missing anything with the version numbers, yes you would be correct there hasn't been reporting of those digits changing.
| </fingerprint> | ||
|
|
||
| <fingerprint pattern="VRP.*Version ([\d.]+) \((.+?) (V[\d.]+R[\d.]+C[\d.]+(?:SPC|SPH|CP|HP)?\d*)"> | ||
| <fingerprint pattern="VRP.*Version ([\d.]+) \(([^\s]+) (V\d{3,4}R\d{3,4}(?:C\d{2,3})?(?:SPC\d+|SPH\d+|CP\d+|HP\d+)?)\)"> |
There was a problem hiding this comment.
| <fingerprint pattern="VRP.*Version ([\d.]+) \(([^\s]+) (V\d{3,4}R\d{3,4}(?:C\d{2,3})?(?:SPC\d+|SPH\d+|CP\d+|HP\d+)?)\)"> | |
| <fingerprint pattern="VRP(?:(?!VRP).)*?Version ([\d.]+) \(([^\s]+) (V\d{3,4}R\d{3,4}(?:C\d{2,3})?(?:SPC\d+|SPH\d+|CP\d+|HP\d+)?)\)"> |
Just wondering should you change to this so its not susceptible to DOS. I checked the original regex with this https://devina.io/redos-checker
There was a problem hiding this comment.
Yes fixed with your suggestion, I did forget this was a resource
There was a problem hiding this comment.
Only thing is in go it doesn't seem to like this regex, changed to VRP[^V]*Version instead of your suggestion. Still works with the redos checker and regex matches on everything we need
There was a problem hiding this comment.
Your new version looks good to me ;)
4 participants
Description
Allowing to detect all the versions of Huawei VRP with or with out the hot patch attached along with adding the device associated with Huawei VRP as os.device
Motivation and Context
Explanation of why these changes are being proposed, including any links to other relevant issues or pull requests.
How Has This Been Tested?
A clear and concise description of your changes were tested.
Types of changes
Checklist: