potential DOS risk with pydantic - fix pending

[samuelcolvin]

I have been made aware of a potential DOS attack risk in pydantic.

The fix I believe is relatively trivial, I will release:

• v1.5.2 based of the current v1.5.1 tag
• v1.4.1 based of the current v1.4 tag

These releases will be made just after 1pm UTC on 2020/5/11, that's next Monday.

If you require a fix to any other version, please let me know on this issue.

[samuelcolvin]

To wait for potential upstream fixes to this issue, these releases have been delayed.

I'll comment here as soon as I know when a fix can be released for pydantic.

[PrettyWood]

Is this issue still necessary?

[samuelcolvin]

The python security team have not yet fixed the the upstream error (I don't really understand why) but have ask packages not to mitigate the problem in libraries to avoid making it public.

The whole situation is frustrating.

[mruser]

Hi Samuel, is the underlying vulnerability still present in the upstream such that the DOS risk survives in the current version of the library? If not, what version was the issue resolved in? Thank you.

Also, I believe we are well into responsible disclosure territory with respect to the upstream, given the time period that has elapsed.

[samuelcolvin]

Quick update on this since a few people have asked about it.

This an issue in cpython, it's not specific to pydantic. All versions of python are effected.

The python security list were informed about it back in 2020 but after a flurry of initial emails, progress on a fix stopped as far as I'm aware.

After @mruser's comment 2 weeks ago, I followed up with a few individuals involved and tried to press for a proper fix.

The last update was 2 days ago, that the issue was being discussed between some core devs. and the SC.

---

In short, while I'm disappointed this hasn't fixed sooner, I'm hopeful it will be fixed soon.

I was asked not to fix it in pydantic to avoid making the vulnerability public, I'll stick to that for another few months in the hope of an upstream fix.

[malipek]

Is the vulnerability somehow connected to the well known issues with NaN implementation? If so, the issue should be closed, in my opinion.

[samuelcolvin]

No

[dmkr]

Is this issue effecting all versions of Pydantic, on version 1.4 and beyond, or only on 1.4 and 1.5.1?

[samuelcolvin]

This has now been made public and it seems a fix will be out soon.

python/cpython#95778

If you're parsing, JSON the simplest solution is to use ujson which doesn't suffer from this problem.

I'll see if I can get a fix it which limits input to ints soon.