Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Snyk has identified a vulnerability in version 1.9.0 #265

Closed
carltonsmith opened this issue Dec 10, 2020 · 1 comment
Closed

Snyk has identified a vulnerability in version 1.9.0 #265

carltonsmith opened this issue Dec 10, 2020 · 1 comment

Comments

@carltonsmith
Copy link

carltonsmith commented Dec 10, 2020
edited
Loading

Here is the issue from Snyk:

Regular Expression Denial of Service (ReDoS)
Vulnerable module: py
Introduced through: pytest@6.1.2
Detailed paths
Introduced through: HHS/TANF-app@HHS/TANF-app › pytest@6.1.2 › py@1.9.0
Overview
py is an a Python development support library.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The subpattern \d+\s*\S+ is ambiguous which makes the pattern subject to catastrophic backtracing given a string like "1" * 5000.

SVN blame output seems to always have at least one space between the revision number and the user name, so the ambiguity can be fixed by changing the * to +.

You can find a detailed explanation here
@RonnyPfannschmidt
Copy link
Member

Duplicate of #256

@The-Compiler The-Compiler mentioned this issue Oct 19, 2022
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@RonnyPfannschmidt @carltonsmith