Skip to content

Fixed a regular expression denial of service issue by limiting whites… #7360

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Sep 20, 2023
Merged

Fixed a regular expression denial of service issue by limiting whites… #7360

merged 5 commits into from
Sep 20, 2023

Conversation

prodigysml
Copy link
Contributor

@prodigysml prodigysml commented Sep 7, 2023
edited
Loading

…paces

Change Summary

As discussed over email, this fixes a security issue where a regular expression denial of service can be performed.

Exploit code is below:

import time
from pydantic import networks
from pydantic.networks import validate_email

start = time.time()

try:
    exploit_string = '<' + ' ' * 3000
    validate_email(exploit_string)
except:
    pass

print(f"Time elapsed: {time.time() - start}")

Related issue number

NA

Checklist

  • The pull request title is a good summary of the changes - it will be used in the changelog
  • Unit tests for the changes exist
  • Tests pass on CI
  • Documentation reflects the changes where applicable
  • [ x My PR is ready to review, please add a comment including the phrase "please review" to assign reviewers

Selected Reviewer: @samuelcolvin

@prodigysml
Copy link
Contributor Author

please review

@prodigysml
Copy link
Contributor Author

Seems like I've broken something. I'll see if I can fix it

samuelcolvin
samuelcolvin reviewed Sep 8, 2023
View reviewed changes
Copy link
Member

@samuelcolvin samuelcolvin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a test showing that more than 5 spaces is invalid with a comment as to why.

Otherwise LGTM.

@hramezani
Copy link
Member

please update

@pydantic-hooky pydantic-hooky bot added awaiting author revision awaiting changes from the PR author and removed ready for review labels Sep 11, 2023
@pydantic-hooky pydantic-hooky bot assigned prodigysml and unassigned samuelcolvin Sep 11, 2023
@adriangb
Copy link
Member

won't other filler characters still cause the same issue? IMO it'd be better to just set a reasonable length limit like 2048 characters.

samuelcolvin
samuelcolvin approved these changes Sep 20, 2023
View reviewed changes
Copy link
Member

@samuelcolvin samuelcolvin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm

@adriangb adriangb merged commit e4393ae into pydantic:main Sep 20, 2023
@prodigysml
Copy link
Contributor Author

Awesome! @samuelcolvin can we open up a security advisor for this one?

@davidhewitt davidhewitt added the relnotes-fix Used for bugfixes. label Sep 21, 2023
Quietus
Quietus reviewed Sep 25, 2023
View reviewed changes
pydantic/networks.py
name_chars = r'[\w!#$%&\'*+\-/=?^_`{|}~]'
unquoted_name_group = fr'((?:{name_chars}+\s+)*{name_chars}+)'
quoted_name_group = r'"((?:[^"]|\")+)"'
email_group = r'<\s*(.+)\s*>'
email_group = r'<\s*(.{0,254})\s*>'
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has changed the intent of the regex - previously it only matched one or more characters, now it matches 0 characters. Admittedly the previous regex would match a space alone if the address was < > and this will not, but it is a change beyond the statement in the pull request.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note for anyone coming to this in future, in #7599 (before releasing this PR) we reverted this change so the only actual change implemented is the length check which covers the original minor performance risk.

adriangb added a commit that referenced this pull request Sep 25, 2023
@adriangb
Revert unecessary regex change from e4393ae
e50ca73 
See #7360 (comment). No regex changes were necessary in the end because we ended up just restricting the overal length
@adriangb adriangb mentioned this pull request Sep 25, 2023
Merged
@allanlewis
Copy link

allanlewis commented Sep 27, 2023
edited
Loading

Will this change be backported to v1?

@samuelcolvin
Copy link
Member

yes we should, @hramezani please could you back port this to V1 and get a release out?

@allanlewis
Copy link

Am I right that this fix is included in v1.10.13?

@hramezani
Copy link
Member

@allanlewis Yes. it is.

@allanlewis
Copy link

Excellent - thanks for arranging the backport in record time!

@prodigysml
Copy link
Contributor Author

@samuelcolvin would it be possible to open up a security advisory for this one?

@samuelcolvin
Copy link
Member

I really don't think it's necessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samuelcolvin samuelcolvin samuelcolvin approved these changes

@adriangb adriangb adriangb approved these changes

+1 more reviewer

@Quietus Quietus Quietus left review comments

Reviewers whose approvals may not affect merge requirements
Assignees

@prodigysml prodigysml

Labels
awaiting author revision awaiting changes from the PR author relnotes-fix Used for bugfixes.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@prodigysml @hramezani @adriangb @allanlewis @samuelcolvin @Quietus @davidhewitt