classification
Title: REDoS in purge
Type: behavior Stage: needs patch
Components: Installation, Windows Versions: Python 3.10
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: paul.moore, serhiy.storchaka, steve.dower, tim.golden, yetingli, zach.ware
Priority: normal Keywords: easy

Created on 2020-09-04 09:47 by yetingli, last changed 2020-09-04 16:30 by steve.dower.

Files
File name Uploaded Description Edit
purge.py yetingli, 2020-09-04 09:47
Messages (4)
msg376343 - (view) Author: yeting li (yetingli) Date: 2020-09-04 09:47
I  find this regex "(\d+\.\d+\.\d+)(\w+\d+)?$" may be stucked by input.
The vulnerable regex is located in
https://github.com/python/cpython/blob/54a66ade2067c373d31003ad260e1b7d14c81564/Tools/msi/purge.py#L15

The ReDOS vulnerability of the regex is mainly due to the sub-pattern \w+\d+
and can be exploited with the following string
"1.1.1"+"1" * 5000 + "!"


I think you can limit the input length or fix this regex.

For example, you can modify the sub-pattern \w+\d+ to ([A-Za-z_]*\d)+

Looking forward for your response‚Äč!

Best,
Yeting Li
msg376356 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2020-09-04 11:14
Thank you for your report yeting li. The pattern modification looks good to me. Do you mind to create a pull request?
msg376377 - (view) Author: Zachary Ware (zach.ware) * (Python committer) Date: 2020-09-04 15:43
Does it matter?  This is not a library, it is a script used occasionally by a release manager, called manually, and the only input to the regex is provided via a command-line argument in that manual call.  I don't think Steve plans to REDoS himself :)
msg376385 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2020-09-04 16:30
I've considered DoSing myself a few times, but then change my mind and just publish the release :)

A PR to change it to "(\d+\.\d+\.\d+)([a-zA-Z]+\d+)?$" would be fine, but is not urgent. It certainly doesn't need to be backported, as this is only ever used from master these days.

Personally I'd be just as happy closing the issue. I know that the current script works, and there's nothing worse than breaking a release because someone has changed the release scripts without testing them properly.
History
Date User Action Args
2020-09-04 16:30:12steve.dowersetmessages: + msg376385
versions: - Python 3.8, Python 3.9
2020-09-04 15:43:43zach.waresetnosy: + paul.moore, tim.golden, zach.ware, steve.dower
messages: + msg376377

components: + Installation, Windows, - Library (Lib)
type: security -> behavior
2020-09-04 11:14:42serhiy.storchakasetversions: + Python 3.8, Python 3.9
nosy: + serhiy.storchaka

messages: + msg376356

keywords: + easy
stage: needs patch
2020-09-04 09:47:22yetinglicreate