-
Notifications
You must be signed in to change notification settings - Fork 839
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2022-42964 ReDOS vulnerability in GaussianInput #2755
Comments
Looks like this stems from pymatgen/pymatgen/io/gaussian.py Line 93 in 7a51c9b
which you can explode with I'm not a Gaussian user, but is this part of the regex necessary? Can the input be satisfied with |
@ScottNotFound I don't think it is possible to change This regex is for example looking for lines such as
The line starts by an element symbol which could be (optionally) followed by a number. Using the following regex line 93 for the class attribute
It looks like it fixes the vulnerability:
|
Describe the bug
A CVE-2022-42964 ReDOS vulnerability in GaussianInput has been reported in the GaussianInput.from_string method.
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method
The report was made at https://research.jfrog.com/vulnerabilities/pymatgen-redos-xray-257184/
and documented by Debian at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024017 (see also https://security-tracker.debian.org/tracker/CVE-2022-42964 )
To Reproduce
Steps to reproduce the behavior:
python3 CVE-2022-42964.py
Expected behavior
Creating strings of the kind in this example should require the same millisecond time in each iteration.
Screenshots
Desktop:
Additional context
Python 3.10.8
pymatgen 2022.11.7
The text was updated successfully, but these errors were encountered: