-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SafeRe is vulnerable to ReDoS #2757
Comments
We could replace this by the RE2 (https://github.com/google/re2). There is python bindings available (https://pypi.org/project/google-re2/). |
Many zites make use of Not sure if it is possible to move to RE2 in a backward compatible way. |
https://github.com/zeronet-enhanced/ZeroNet/commit/2a25d61b968a21aa98c6db2ca9d64f1bbdc54773 In my fork, I (temporarily) fixed this by treating Not sure if it is a proper or a complete solution. I'm not familiar with the ReDoS type of attack and regexp implementation details. |
Step 1: Please describe your environment
Step 2: Describe the problem:
"To avoid the ReDoS algorithmic complexity attack" the function bellow is used to validate user defined regular expressions.
ZeroNet/src/util/SafeRe.py
Lines 10 to 22 in 454c0b2
This function fails to identify regular expressions that can require exponential time complexity to match user inputs.
Steps to reproduce:
Observed Results:
match
hangs and the execution never completes.Expected Results:
isSafePattern
should properly detect that the pattern is unsafe.Alternatively,
match
should use an algorithm with guaranteed linear time complexity to compile and match inputs (e.g. Thompson NFA).The text was updated successfully, but these errors were encountered: