Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

[BUG] Inefficient Regex #3659

Closed
SCH227 opened this issue Nov 2, 2022 · 3 comments
Closed

[BUG] Inefficient Regex #3659

SCH227 opened this issue Nov 2, 2022 · 3 comments
Labels
bug Needs Triage Issues that need to be evaluated for severity and status.

Comments

@SCH227
Copy link

SCH227 commented Nov 2, 2022

setuptools version

setuptools==65.5.0

Python version

Python 3.10

OS

Kali Linux

Additional environment information

The reported bug should be independent from env

Description

This regex pattern is inefficient.
As described through PSRT channel, it may end in a DoS if an user is fetching malicious HTML from a package in PyPI or custom PackageIndex page.

Expected behavior

Regex matches/not without hanging.
The following regex seems to be performing ok:
<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>

How to Reproduce

Described through PSRT channel

Output

[ hangs forever ]

@SCH227 SCH227 added bug Needs Triage Issues that need to be evaluated for severity and status. labels Nov 2, 2022
@jaraco jaraco closed this as completed in 43a9c9b Nov 4, 2022
jaraco added a commit that referenced this issue Nov 4, 2022
@domdfcoding
Copy link
Contributor

Is this only triggerable when using setuptools itself to interact with a package index, or can it be triggered when using pip?

jsf9k added a commit to cisagov/skeleton-generic that referenced this issue Nov 15, 2022
jsf9k added a commit to cisagov/skeleton-generic that referenced this issue Nov 15, 2022
@Doondondon

This comment was marked as off-topic.

@jaraco
Copy link
Member

jaraco commented Apr 7, 2023

Is this only triggerable when using setuptools itself to interact with a package index, or can it be triggered when using pip?

I could in theory be triggered using pip if:

  • pip builds a package from source
  • that package is built with setuptools
  • that package has build-time dependencies (setup_requires) that aren't already satisfied in the environment or by pip (either because build-requires isn't declared or the invocation has bypassed the pep 518 behavior to install them).

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
bug Needs Triage Issues that need to be evaluated for severity and status.
Projects
None yet
Development

No branches or pull requests

4 participants