-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
[BUG] Inefficient Regex #3659
Labels
Comments
SCH227
added
bug
Needs Triage
Issues that need to be evaluated for severity and status.
labels
Nov 2, 2022
jaraco
added a commit
that referenced
this issue
Nov 4, 2022
Is this only triggerable when using setuptools itself to interact with a package index, or can it be triggered when using pip? |
jsf9k
added a commit
to cisagov/skeleton-generic
that referenced
this issue
Nov 15, 2022
This is done in response to a recently-discovered vulnerability in setuptools: - https://security.snyk.io/vuln/SNYK-PYTHON-SETUPTOOLS-3113904 - https://cwe.mitre.org/data/definitions/1333.html - pypa/setuptools#3659
6 tasks
jsf9k
added a commit
to cisagov/skeleton-generic
that referenced
this issue
Nov 15, 2022
This is done in response to a recently-discovered vulnerability in setuptools: - https://security.snyk.io/vuln/SNYK-PYTHON-SETUPTOOLS-3113904 - pypa/setuptools#3659 - https://cwe.mitre.org/data/definitions/1333.html
This comment was marked as off-topic.
This comment was marked as off-topic.
I could in theory be triggered using pip if:
|
This was referenced Sep 28, 2023
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
setuptools version
setuptools==65.5.0
Python version
Python 3.10
OS
Kali Linux
Additional environment information
The reported bug should be independent from env
Description
This regex pattern is inefficient.
As described through PSRT channel, it may end in a DoS if an user is fetching malicious HTML from a package in PyPI or custom PackageIndex page.
Expected behavior
Regex matches/not without hanging.
The following regex seems to be performing ok:
<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>
How to Reproduce
Output
[ hangs forever ]
The text was updated successfully, but these errors were encountered: