Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

svnwc: fix regular expression vulnerable to DoS in blame functionality #257

Merged
merged 1 commit into from
Sep 20, 2020
Merged

svnwc: fix regular expression vulnerable to DoS in blame functionality #257

merged 1 commit into from
Sep 20, 2020

Conversation

bluetech
Copy link
Member

@bluetech bluetech commented Sep 4, 2020

Fixes #256.

The subpattern \d+\s*\S+ is ambiguous which makes the pattern subject
to catastrophic backtracing given a string like "1" * 5000.

SVN blame output seems to always have at least one space between the
revision number and the user name, so the ambiguity can be fixed by
changing the * to +.

@bluetech
svnwc: fix regular expression vulnerable to DoS in blame functionality
4a9017d 
The subpattern `\d+\s*\S+` is ambiguous which makes the pattern subject
to catastrophic backtracing given a string like `"1" * 5000`.

SVN blame output seems to always have at least one space between the
revision number and the user name, so the ambiguity can be fixed by
changing the `*` to `+`.

Fixes pytest-dev#256.
@bluetech
Copy link
Member Author

Going to assume no one has an issue with this and merge.

@bluetech bluetech merged commit 92e36e6 into pytest-dev:master Sep 20, 2020
cclauss added a commit to cclauss/py that referenced this pull request Sep 20, 2020
@cclauss
Add fix from pytest-dev#257
868a26a
@earthgecko earthgecko mentioned this pull request Dec 10, 2020
Closed
@bluetech bluetech deleted the svn-redos branch December 12, 2020 11:54
earthgecko added a commit to earthgecko/skyline that referenced this pull request Dec 12, 2020
@earthgecko
py 1.10.0 with CVE-2020-29651 mitigated
a1ff55e 
IssueID #3694: #3874: SNYK-PYTHON-PY-1049546
Dependency vulnerability - py - CVE-2020-29651 #378

- Update py to 1.10.0 which resolves CVE-2020-29651 by implementing
  pytest-dev/py#257 which fixes
  pytest-dev/py#256

Modified:
dev-requirements.txt
requirements.txt
@earthgecko earthgecko mentioned this pull request Dec 12, 2020
Merged
@github-actions github-actions bot mentioned this pull request Jun 3, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vulnerable Regular Expression in svnwc.py
1 participant
@bluetech