Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Regular Expression injection #629

Merged
merged 1 commit into from Mar 23, 2021
Merged

Fix Regular Expression injection #629

merged 1 commit into from Mar 23, 2021

Conversation

jorgectf
Copy link
Contributor

@jorgectf jorgectf commented Mar 23, 2021

The fact of not sanitizing user input appended to a regular expression may lead to a Regular Expression Denial of Service by an attacker crafting a regular expression taking too much to load, or simply change the behaviour of the program.

Vulnerable code:

re_from_start = re.compile("^.*{}:".format(cpe_regex))

References:

OWASP ReDoS

@P-T-I
Copy link
Member

P-T-I commented Mar 23, 2021

Awesome; good catch!

@P-T-I P-T-I merged commit c621f9f into cve-search:master Mar 23, 2021
7 checks passed
@jorgectf jorgectf deleted the fix-regex-injection branch March 23, 2021 19:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants