Patch for sanitizer.py needs to also be applied to _vendor/html5lib/filters/sanitizer.py

[brosenfi]

A patch was applied to fix CVE-2020-6817 with commit d6018f2 - however this same vulnerable regex has been identified as also occurring in bleach/_vendor/html5lib/filters/sanitizer.py (by a Sonatype "security research team" - it's in one of their advisory deviation notices).

[g-k]

Good eye! bleach overrides sanitize_css, so it shouldn't be possible to reach that regex from bleach.clean. Also, I'd be interested in the advisory deviation notice if that's public anywhere. In general, I try to avoid updating vendored libraries to non-release code. Can you raise the issue upstream with html5lib at https://github.com/html5lib/html5lib-python/issues ? Thanks!

…

On Wed, May 13, 2020 at 3:08 PM Brian Rosenfield ***@***.***> wrote: A patch was applied to fix CVE-2020-6817 <https://github.com/advisories/GHSA-vqhp-cxgc-6wmm> with commit d6018f2 <d6018f2> - however this same vulnerable regex has been identified as also occurring in bleach/_vendor/html5lib/filters/sanitizer.py (a Sonatype "security research team" - it's in one of their advisory deviation notices). — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#534>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABXKLJGS2ANZUHOELAHBZLRRLV3LANCNFSM4NABGS3A> .

[brosenfi]

Thanks - I actually can't be credited with the good eye on this though because what triggered me to look into this issue was a failed install when the latest bleach wheel was quarantined. I actually looked before I even created this issue for a public version of Sonatype's "advisory deviation notice" (and looked again now) and can't find one. I can see the whole text on our Nexus IQ server - here's the gist of it:
The Sonatype security research team found that the needed fix in version 3.1.4 is in the bleach/sanitizer.py file, however the version contains an additional file bleach/_vendor/html5lib/filters/sanitizer.py which still has the vulnerable regex - therefore version 3.1.4 and any version that has this unpatched file will still be treated as vulnerable.
I'll raise an issue over at the html5lib project - thanks again.

[gsnedders]

@brosenfi AFAICT you never did raise an issue, but as far as I can tell none of the regex in the sanitizer are liable to exponential backtracking (they're all maximally linear with regards to the input), and they're all just dlint-py/dlint#13.

[brosenfi]

@gsnedders Yes that's correct - I got busy that day and forgot to raise it - apologies for that. Yeah reading the bug thread I don't see the same overlap with the ['"-] characters in the first group in the alternation on the html5lib version of the regex - and it's even mentioned there that it doesn't have this issue. I guess I have to go back to Sonatype and argue that this isn't actually vulnerable.