Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Inefficient Regex #3659

Closed
SCH227 opened this issue Nov 2, 2022 · 3 comments
Closed

[BUG] Inefficient Regex #3659

SCH227 opened this issue Nov 2, 2022 · 3 comments
Labels
bug Needs Triage Issues that need to be evaluated for severity and status.

Comments

@SCH227
Copy link

SCH227 commented Nov 2, 2022

setuptools version

setuptools==65.5.0

Python version

Python 3.10

OS

Kali Linux

Additional environment information

The reported bug should be independent from env

Description

This regex pattern is inefficient.
As described through PSRT channel, it may end in a DoS if an user is fetching malicious HTML from a package in PyPI or custom PackageIndex page.

Expected behavior

Regex matches/not without hanging.
The following regex seems to be performing ok:
<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>

How to Reproduce

Described through PSRT channel

Output

[ hangs forever ]
@SCH227 SCH227 added bug Needs Triage Issues that need to be evaluated for severity and status. labels Nov 2, 2022
jaraco added a commit that referenced this issue Nov 4, 2022
@jaraco
Add test capturing failed expectation. Ref #3659.
5791343
@jaraco jaraco closed this as completed in 43a9c9b Nov 4, 2022
jaraco added a commit that referenced this issue Nov 4, 2022
@jaraco
Update changelog. Ref #3659.
58e23de
@domdfcoding
Copy link
Contributor

Is this only triggerable when using setuptools itself to interact with a package index, or can it be triggered when using pip?

jsf9k added a commit to cisagov/skeleton-generic that referenced this issue Nov 15, 2022
@jsf9k
Add a lower bound for the version of setuptools
51fa6d7 
This is done in response to a recently-discovered vulnerability in
setuptools:
- https://security.snyk.io/vuln/SNYK-PYTHON-SETUPTOOLS-3113904
- https://cwe.mitre.org/data/definitions/1333.html
- pypa/setuptools#3659
@jsf9k jsf9k mentioned this issue Nov 15, 2022
Closed
6 tasks
jsf9k added a commit to cisagov/skeleton-generic that referenced this issue Nov 15, 2022
@jsf9k
Add a lower bound for the version of setuptools
c149b76 
This is done in response to a recently-discovered vulnerability in
setuptools:
- https://security.snyk.io/vuln/SNYK-PYTHON-SETUPTOOLS-3113904
- pypa/setuptools#3659
- https://cwe.mitre.org/data/definitions/1333.html
@Doondondon

This comment was marked as off-topic.

Sign in to view
@jaraco
Copy link
Member

jaraco commented Apr 7, 2023

Is this only triggerable when using setuptools itself to interact with a package index, or can it be triggered when using pip?

I could in theory be triggered using pip if:

  • pip builds a package from source
  • that package is built with setuptools
  • that package has build-time dependencies (setup_requires) that aren't already satisfied in the environment or by pip (either because build-requires isn't declared or the invocation has bypassed the pep 518 behavior to install them).

@faust64 faust64 mentioned this issue Apr 19, 2023
Closed
@rickprice rickprice mentioned this issue May 3, 2023
Merged
This was referenced Sep 28, 2023
Merged
Merged
Merged
Merged
Merged
@bhati-pradeep bhati-pradeep mentioned this issue Nov 17, 2023
Open
jaraco added a commit that referenced this issue Dec 6, 2023
@jaraco
Add attribution for #3659.
dd5f15a
@signal-fyi-local signal-fyi-local bot mentioned this issue Aug 2, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Needs Triage Issues that need to be evaluated for severity and status.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jaraco @domdfcoding @SCH227 @Doondondon