Vulnerable Regular Expression in svnwc.py #256
Comments
|
Ohh nice catch. I think the ambiguity in this regex is From the examples listed here, the line number and the user name are always separated by at least one space (which makes sense). So we can change the middle rex_blame = re.compile(r'\s*(\d+)\s+(\S+) (.*)') and that should fix it, at least I don't think there is any catastrophic backtracing left here. Does that sound right to you? |
|
yeah, I think the fixed regex is safe. |
|
Thanks for confirming. I'll reopen for now and submit a PR to fix this. |
The subpattern `\d+\s*\S+` is ambiguous which makes the pattern subject to catastrophic backtracing given a string like `"1" * 5000`. SVN blame output seems to always have at least one space between the revision number and the user name, so the ambiguity can be fixed by changing the `*` to `+`. Fixes pytest-dev#256.
|
Is this code reachable by attackers in any form? e.g. should this be tracked by a CVE? |
|
Hi @msmeissn,
I think attackers may obtain this code by calling
It would be great to assign a CVE for the issue🙂 Best regards, |
|
Mitre assigned CVE-2020-29651 to this issue. |
|
HI @bluetech maybe this is a question you may be able to answer. Although the project is in maintenance mode, does #257 not warrant a new release/tag? Although py may be in maintenance mode it is still a dependency in pytest which is a fairly widely used package. Seeing as the fix was merged on 20 Sept I was just wondering if another release is ever going to be made? Are there plans to remove the |
|
The reason I don't treat it with any priority is that I'm not sure there is any code left in existence which still uses
I've never made a py release myself, but since the deploy is automated I may be able to do it, if the token is still valid. Maybe @nicoddemus would know?
We are migrating away from it but it's gonna take a while. |
It should, although it is not using a token but my actual password. In my experience though Travis is taking forever due to their recent policy changes, so we might need to first port to GitHub actions before doing a new release. |
|
I am sure snyk will automate this all at some point in the future. But why do they need to when they have automated people to do it for them? :) |
|
Using the new CI that @nicoddemus set up everything went well - 1.10.0 is released now and includes this fix. |
|
@bluetech and @nicoddemus thanks for the efforts! |
IssueID #3694: #3874: SNYK-PYTHON-PY-1049546 Dependency vulnerability - py - CVE-2020-29651 #378 - Update py to 1.10.0 which resolves CVE-2020-29651 by implementing pytest-dev/py#257 which fixes pytest-dev/py#256 Modified: dev-requirements.txt requirements.txt
Type of Issue
Potential Regex Denial of Service (ReDoS)
Description
The vulnerable regular expression is located in
py/py/_path/svnwc.py
Line 399 in 1a45e12
The ReDOS vulnerabilitiy of the regex is mainly due to the sub-pattern (\d+)\s*(\S+) and can be exploited with the following string
"1"*5000
I think you can limit the input length or modify this regex.
The text was updated successfully, but these errors were encountered: